I'm running into problem configuring port address translation / forwarding from outside into internal network. What I have is ASA 5510 running on static address xx.xx.xx.38 and everything is working perfectly OK from inside to outside. I have also few VPN connections spun of of it to remote officess. What I'm trying to do now is to direct smtp and 5900 for VNC into internal network on spare public IP addresses that I have.
Following are commands I have added to the config which by theory it should work but I'm getting policy denied when I do packet trace
access-list Outside-in extended permit tcp any host xx.xx.xx.37 eq smtp
access-list Outside-in extended permit tcp any host xx.xx.xx.36 eq 5900
static (inside,outside) xx.xx.xx.37 192.168.2.12 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.36 192.168.2.13 netmask 255.255.255.255
access-group Outside-in in interface outside
looking for any help
Not too sure what you mean by removing the policy, as we remove the outbound access-list applied to the inside interface,
not the NAT/PAT access-list.
Can you please share the latest configuration as well as what exactly was removed?
Pls remove this line: access-group inside_access_out out interface inside
Test the connection again, and if it still doesn't work, please share the output of the following:
show access-list Outside-in
prior to the connection test, and test a few connections and grab the output again. Thx.