ASA5505 DMZ problema [cerrado]

Tengo ASA5505, conectado a la WAN en el puerto 0 (llamado Vlan2) y conectado a mi LAN de desarrollo en el puerto 7 (llamado Vlan1).

Quiero agregar DMZ, y conecté el switch y los servidores al puerto 3, y lo llamé Vlan3.

esta es mi configuración:

interface Vlan1  
 nameif inside  
 security-level 100
 ip address x.x.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.3.1 255.255.255.240
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 51
 ip address x.x.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/3
 switchport access vlan 3
!

también, agregué la regla DYNAMIC NAT a la interfaz DMZ, y la regla STATIC POLICY NAT para que todas las conexiones HTTP y HTTPS con xx3.3 (la dirección IP externa del Blog) se reenvíen a xx2.3 (IP interna del Blog). / p>

Puedo conectarme al sitio web fuera del mundo, pero no puedo conectarme a él desde mi LAN (Vlan1) - ping o ssh a xx3.3 no está disponible, y también ping o ssh a la interfaz Vlan3 xx3.1 (el ASA ip en Vlan3).

IPs: x.x.1.1 = Vlan1 ASA ip
x.x.1.x / 24 = Vlan1 - Desarrollo de LAN
x.x.2.1 = Vlan2 ASA ip
x.x.2.3 = Blog externo IP
x.x.3.1 = Vlan3 ASA ip
x.x.3.3 = Blog Internal ip
Necesito poder hacer ping desde x.x.1.x a x.x.3.x (desde mi LAN de desarrollo Vlan1 a la LAN VZ3 DMZ)

Versión y licencia:

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.3(1)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 157 days 18 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is d0d0.fd22.622c, irq 11
 1: Ext: Ethernet0/0         : address is d0d0.fd22.6224, irq 255
 2: Ext: Ethernet0/1         : address is d0d0.fd22.6225, irq 255
 3: Ext: Ethernet0/2         : address is d0d0.fd22.6226, irq 255
 4: Ext: Ethernet0/3         : address is d0d0.fd22.6227, irq 255
 5: Ext: Ethernet0/4         : address is d0d0.fd22.6228, irq 255
 6: Ext: Ethernet0/5         : address is d0d0.fd22.6229, irq 255
 7: Ext: Ethernet0/6         : address is d0d0.fd22.622a, irq 255
 8: Ext: Ethernet0/7         : address is d0d0.fd22.622b, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Las reglas de NAT:

access-list dmz_nat_static line 1 extended permit ip host x.x.3.3 any 
static (dmz,outside)  x.x.2.3 access-list dmz_nat_static tcp 0 0 udp 0
nat (dmz) 1 x.x.3.0 255.255.255.0  tcp 0 0 udp 0 

Puedo ver que está restringido por DMZ, pero ¿puedo crear una solución "similar a DMZ" con los 3 Vlans que tengo en mi licencia?

Gracias.