Screen OS

So I've moved my office to a new location, and as a cost saving measure I now have a single dynamic public IP address assigned via DHCP. This is no problem when setting up the Untrusted and Trusted zones (trusted set to NAT). However, nothing I do seems to enable the DMZ zone to access the internet. Computers in that zone can ping the router, but nothing past it. My understanding is that the normal setup would be to have all zones set to route and then to define a rout for 0.0.0.0 to the external router at my ISP. However, since I have a dynamic external IP address I dont see that I can do this.

Note that I dont really need the world to be able to access the DMZ (and if I do I'll tackle the mapping of the services when the time comes). Its just a place where I put computer systems that are more likely to get viri etc (public terminal for example).

Anyone have any ideas?

You can only use interface NAT in one place.  So for the DMZ to access the internet you need to enable NAT on the policy that allows the internet access.

Web interface: 

edit the dmz to untrust policy

Advanced settings

check off source NAT

CLI:  Where 2 is the number of your policy

set policy id 2 from "dmz" to "Untrust"  "Any" "Any" "ANY" nat src permit

Also, you don't have to use interface NAT with a dynamic address (at least in 6 I'm assuming this is the same).  The DHCP interface function takes care of the default route.  I have all my NAT in policies even at the site with a dynamic IP.

To be clear, you're talking about enabling NAT Source Translation on the DMZ to Untrusted policy?

Yup, thats all it took. Thanks a bunch.