interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 209.165.201.2 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.101.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 172.16.101.254 255.255.255.0
!Configuración NAT para permitir que los hosts salgan a Internet
object network inside-subnet
subnet 192.168.101.0 255.255.255.0nat (inside,outside) dynamic interface
!
object network dmz-subnet
subnet 172.16.101.0 255.255.255.0
nat (dmz,outside) dynamic interface
!Configuración NAT para acceder el web server de Internet
object network webserver-external-ip
host 209.165.201.30
!
object network webserver
host 172.16.101.3
nat (dmz,outside) static webserver-external-ip service tcp www www
!Configuración ACL
access-list outside_acl extended permit tcp any object webserver eq www
access-group outside_acl in interface outside
!Pruebas con packet-tracer de ASA
packet-tracer input inside tcp 192.168.101.4 12345 209.165.202.130 80
packet-tracer input outside tcp 209.165.202.130 12345 209.165.201.30 80