Problema DMZ ASA5505 [chiuso]

Ho ASA5505, connesso alla WAN sulla porta 0 (chiamata Vlan2) e connesso alla mia LAN di sviluppo sulla porta 7 (Chiamato Vlan1).

Voglio aggiungere DMZ e ho collegato switch e server alla porta 3 e l'ho chiamato Vlan3.

questa è la mia impostazione:

interface Vlan1  
 nameif inside  
 security-level 100
 ip address x.x.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.3.1 255.255.255.240
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 51
 ip address x.x.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/3
 switchport access vlan 3
!

Inoltre, ho aggiunto la regola NAT DYNAMIC all'interfaccia DMZ e la regola NAT POLICY STATICA in modo che tutte le connessioni HTTP e HTTPS per xx3.3 (l'indirizzo IP esterno del blog) vengano inoltrate a xx2.3 (Blog IP interno).

Posso collegarmi al sito web fuori dal mondo, ma non riesco a connettermi dalla mia LAN (Vlan1) - ping o ssh a xx3.3 non è disponibile, e anche ping o ssh all'interfaccia Vlan3 xx3.1 (il ASA ip su Vlan3).

IPS: x.x.1.1 = Vlan1 ASA ip
x.x.1.x / 24 = Vlan1 - Sviluppo LAN
x.x.2.1 = Vlan2 ASA ip
x.x.2.3 = Blog IP esterno del blog x.x.3.1 = Vlan3 ASA ip
x.x.3.3 = Blog ip interno Devo essere in grado di eseguire il ping da x.x.1.x a x.x.3.x (dalla mia LAN di sviluppo Vlan1 alla LAN DML Vlan3)

Versione e Lic:

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.3(1)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 157 days 18 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is d0d0.fd22.622c, irq 11
 1: Ext: Ethernet0/0         : address is d0d0.fd22.6224, irq 255
 2: Ext: Ethernet0/1         : address is d0d0.fd22.6225, irq 255
 3: Ext: Ethernet0/2         : address is d0d0.fd22.6226, irq 255
 4: Ext: Ethernet0/3         : address is d0d0.fd22.6227, irq 255
 5: Ext: Ethernet0/4         : address is d0d0.fd22.6228, irq 255
 6: Ext: Ethernet0/5         : address is d0d0.fd22.6229, irq 255
 7: Ext: Ethernet0/6         : address is d0d0.fd22.622a, irq 255
 8: Ext: Ethernet0/7         : address is d0d0.fd22.622b, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Le regole NAT:

access-list dmz_nat_static line 1 extended permit ip host x.x.3.3 any 
static (dmz,outside)  x.x.2.3 access-list dmz_nat_static tcp 0 0 udp 0
nat (dmz) 1 x.x.3.0 255.255.255.0  tcp 0 0 udp 0 

Vedo che è limitato da DMZ, ma posso creare una soluzione "simile a DMZ" con le 3 Vlans che ho nella mia licenza?

Grazie.