ASA 不断拒绝向 PAT 的 DMZ IP 发送 TCP。有人可以看看这个，我一直在使用 ASDM。

same-security-traffic permit intra-interface  
object network expressway-e  
 host 192.168.5.21  
 description expressway inside  
object network expressway-e-dmz  
 host 10.1.0.21  
 description expressway dmz interface  
object network inside-all  
 subnet 192.168.0.0 255.255.0.0  
object network DMZ  
 subnet 10.1.0.0 255.255.255.0  
 description DMZ Subnet Object  
object network obj-192.168.0.0-01  
 subnet 192.168.0.0 255.255.0.0  
object service udp_3478-3483  
 service udp source range 3478 3483   
object service udp_24000-29999  
 service udp source range 24000 29999   
object service udp_36002-59999  
 service udp source range 36002 59999   
object service tcp_5222  
 service tcp source eq 5222  
 object service tcp_8443  
 service tcp source eq 8443   
object service tcp_5061  
 service tcp source eq 5061   
object service udp_5061  
 service udp source eq 5061   
object network Outside-Interface  
 host 74.32.58.14  
object network ASA-DMZ-Interface  
 host 10.1.0.1  
object network DMZ_outside  
 subnet 0.0.0.0 0.0.0.0  
object network expressway-server-Outside  
 host 10.1.0.21  
object-group network obj-192.168.0.0  
 description Inside Vlan1  
 network-object 192.168.0.0 255.255.0.0  
object-group network obj-192.168.1.0  
object-group network obj-192.168.10.0  
 description Network Management subnet  
object-group service DM_INLINE_SERVICE_1  
 service-object icmp     
service-object icmp time-exceeded  
object-group protocol TCPUDP  
 protocol-object udp  
 protocol-object tcp  
object-group network obj-10.1.0.0  
 network-object DMZ 255.255.255.0  
object-group service tcp-expressway tcp  
 port-object eq 5222  
 port-object eq 8443  
object-group service udp-expressway udp  
 port-object range 23999 30000  
 port-object range 3477 3484  
 port-object range 36001 60000  
 port-object eq 5061  
 port-object eq 5222  
 port-object eq 8443  
access-list inside_access_in remark Permit Ping  
access-list inside_access_in extended permit ip any4 any4   
access-list outside_access_in remark outside_in_acl  
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 any4   
access-list outside_access_in extended permit udp any4 object expressway-e-dmz object-group udp-expressway   
access-list outside_access_in extended permit tcp any4 object expressway-e-dmz object-group tcp-expressway   
access-list inside_access_in_1 extended permit ip any4 any4   
access-list global_mpc extended permit ip any4 any4   
access-list DMZ_access_in extended permit ip any4 object DMZ   
access-list DMZ_access_in remark Permit/Allow icmp from Inside  
access-list DMZ_access_in extended permit icmp 192.168.2.0 255.255.255.0 object DMZ   
access-list dmz_access_in extended permit ip object DMZ any4   
access-list dmz_access_in extended permit ip   object DMZ object inside-all   
access-list global_mpc_1 remark This allowed ping from inside networks to DMZ hosts  
access-list global_mpc_1 extended permit icmp object inside-all 10.1.0.0 255.255.255.0   
access-list global_mpc_2 extended permit icmp object inside-all object ASA-DMZ-Interface   
access-list OutsideToDMZ extended permit tcp any4 host 10.1.0.21 eq 5222   
access-list OutsideToDMZ extended permit tcp any4 host 10.1.0.21 eq 8443   
access-list OutsideToDMZ extended permit tcp any4 host 10.1.0.21 eq 5061   
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 gt 3477   
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 lt 3484   
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 gt 23999   
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 lt 30000   
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 gt 36001   
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 lt 60000   
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 eq 5061   
*remove*
object network inside-all  
 nat (inside,dmz) static 10.1.0.0  
object network DMZ  
 nat (dmz,outside) dynamic interface  
!
nat (dmz,outside) after-auto source static expressway-server-Outside expressway-server-Outside service udp_24000-29999 udp_24000-29999  
nat (dmz,outside) after-auto source dynamic expressway-server-Outside expressway-server-Outside service tcp_8443 tcp_8443  
nat (dmz,outside) after-auto source static expressway-server-Outside expressway-server-Outside service udp_36002-59999 udp_36002-59999  
nat (dmz,outside) after-auto source static expressway-server-Outside expressway-server-Outside service tcp_5222 tcp_5222
nat (dmz,outside) after-auto source static expressway-server-Outside expressway-server-Outside service udp_3478-3483 udp_3478-3483
nat (dmz,outside) after-auto source static expressway-server-Outside expressway-server-Outside service tcp_5061 tcp_5061
nat (dmz,outside) after-auto source static expressway-server-Outside expressway-server-Outside service udp_5061 udp_5061
nat (inside,outside) after-auto source dynamic any interface  
access-group inside_access_in_1 in interface inside control-plane  
access-group inside_access_in in interface inside  
access-group OutsideToDMZ in interface outside  
access-group dmz_access_in in interface dmz