Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5505 won't pass ports through fw/NAT

We're trying to get a remote access setup for someone who needs to have access from offsite. To make things easy we set it up with a virtual machine running Windows 7 and RDP. Because the "other end" isn't our computer and we've had some difficulties with people using the Cisco VPN client successfully, we were just going to set up a machine as a RDP Gateway and forward the port through the firewall (WebVPN might be nice, but the plugins only do RDP through v5.x). I've tried this on 8.4-1 and after reinstalling the latest 8.2, and supposedly the NAT works and there is a firewall rule allowing access from the outside to the RD-GW server on HTTPS, but the ASA is still blocking those packets. I've looked at 4 howtos and followed them, trying from the console and from ADSM (and one trashed the whole setup, probably related to the reinstall of 8.2) - what am I doing wrong?

Thank you!


Result of the command: "show config"

: Saved
: Written by enable_15 at 02:42:50.752 UTC Thu Nov 17 2011
ASA Version 8.4(2)
hostname g(...)

enable password (...) encrypted
passwd (...) encrypted
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
object network obj_any
object network VMP-RA1
host 192.168.0.a
description VMP-RA1 INSIDE
object network VMP-RA1P
host 173.10.b.c
description VMP-RA3 OUTSIDE
object network
host 207.97.d.e
description mail server at CWW
object network VMPDC2
host 192.168.0.f
description Secondary DC/Remote Access Gateway
object network VMPDC2P
host 173.10.g.h
description VMPDC2 public IP
object-group service RDP tcp
description MS RDP service
port-object eq 3389
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_2 tcp
port-object eq imap4
port-object eq pop2
port-object eq pop3
port-object eq smtp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access extended permit tcp any object VMPDC2 eq https
access-list outside_access extended permit tcp any object VMP-RA1 object-group RDP inactive
access-list inside_access_in remark DNS
access-list inside_access_in extended permit object-group TCPUDP any any eq domain
access-list inside_access_in remark FTP
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit tcp any any eq hostname
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit tcp any any eq ssh
access-list inside_access_in extended permit udp any any eq ntp
access-list inside_access_in extended permit object-group TCPUDP any any eq echo
access-list inside_access_in extended permit udp any any eq nameserver
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit tcp any object object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit tcp any any object-group RDP
access-list inside_access_in extended permit ip any any inactive
access-list global_access extended permit tcp any object VMP-RA1 object-group RDP inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
object network VMP-RA1
nat (inside,outside) static VMP-RA1P
object network VMPDC2
nat (inside,outside) static VMPDC2P service tcp https https
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access in interface outside
access-group global_access global
router rip
route outside 173.10.h.i 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VMP_Users protocol ldap
aaa-server VMP_Users (inside) host 192.168.0.j
server-type microsoft
user-identity default-domain LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca (...)
telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
dhcpd address inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

Cisco Employee

ASA 5505 won't pass ports through fw/NAT

The first nat rule is actually taking all over the NAT configuration. Try with a more specific one and that is first than the regular PAT.

Try this,

nat (inside,outside) source static VMP-RA1 VMP-RA1P

That will translate RA1 to RA1P, so the outside users should access RAIP to get to the host RA1.

Let me know.


Community Member

ASA 5505 won't pass ports through fw/NAT

I'm worried about getting rid of that first rule, because isn't that the one that allows the other inside users to share the NAT/PAT internet connection for their work (e-mail, web browsing, etc.)?

Community Member

ASA 5505 won't pass ports through fw/NAT

Got it to work - I was messing with the ASDM's "Public Servers" thing and somehow, though I wasn't able to get the direct-to-RDP thing to work, I was able to get the more secure RDP-gateway thing over HTTPS to work.

Still can't figure out exactly what I did differently this time...

Cisco Employee

ASA 5505 won't pass ports through fw/NAT

Hi Scott,

Well, I did not say to remove that line, just to add the one that I put. The problem is that NAT is read from top to bottom, and the first line you have is the one for internet access (Regular PAT) no other NAT is going to take precedense.  The NAT config that I put will be located on the manual NAT section, so it will first hit that one (for that specific host) and then, the rest of the hosts are going to go with the regular PAT.


CreatePlease to create content