ASA - Port Forwarding from Outside to DMZ not working

Unanswered Question
Sep 7th, 2010
User Badges:


I am facing some problem accesing one server in the DMZ from outside. Please see the attched file for the config.

I am using a public IP BBB.CCC.58.214 to access the server . Currently for testing purpose i am trying to RDP to this particualr server.I have done all the necessary config to make this work.But due to some unknown issues it is not working. Even the access-list hits for this particular IP is 0.

Needs experts comments.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Tue, 09/07/2010 - 04:40
User Badges:
  • Cisco Employee,

If the ACL hitcount is 0 that means that the traffic is not even coming into the ASA firewall.

I would suggest that you perform a "clear arp" on the next hop router, and/or reloading the router, and also make sure that no other device is using the public ip address of BBB.CCC.58.214.

If you have access to the next hop router, pls make sure that the ARP entry for BBB.CCC.58.214 points towards the ASA outside interface mac address.

Hope that helps.

Nagaraja Thanthry Tue, 09/07/2010 - 04:42
User Badges:
  • Cisco Employee,


If the access-list hit is "0", most likely it is an ISP issue. Please check

with the ISP to make sure that the upstream router has proper ARP entry

(your outside interface MAC for that IP) and also that they are forwarding

all packets for that IP to your ASA.



faizal_vi Tue, 09/07/2010 - 09:46
User Badges:


While working this problem I made a change in the above config as below .This was done for testing.

Instead of the static nat ........

static (dmz,outside) tcp BBB.CCC.58.214 3389 3389 netmask

I made a change like

static (dmz,outside) BBB.CCC.58.214 netmask

At this time ping was working..Will ISP issues make Ping work......


bknoblau Tue, 09/07/2010 - 10:25
User Badges:


Ping started working because the previous static statement only permitted port 3389 traffic through.  The more general static statement allows the translation to occur on all ports, including ICMP.  What the successful pings does show is that the translation is functioning correctly on the ASA.  Most likely, the RDP packets are either being dropped before the firewall or the DMZ server isn't responding properly to the requests.  To find out exactly what is going on, place a packet capture on the ASA.  This will show you exactly where the RDP packets are being dropped or if they are making it to the firewall at all.

To configure the packet captures on the ASA:

access-list capture permit tcp any host BBB.CCC.58.214 eq 3389

access-list capture permit tcp host BBB.CCC.58.214 any eq 3389

access-list capture permit tcp any host eq 3389

access-list capture permit tcp host any eq 3389

capture out access-list capture interface outside

capture dmz access-list capture interface dmz

To view the captures:

show capture out

show capture dmz




This Discussion