Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5510 problems with NAT & ssh & RDP & ACl's

so we have an inside network (172) and an outside network (11) and we want to install a 5510 in between.

basically, I would want to be able to

#1) ssh into the 5510 from the outside network.

#2) I want outside users to be able to use RDC remote desktop connection from the outside to a couple of devices on the inside.

#3) couple of devices on the inside should be able to print to a networked printer on the outside network.

with these requirements, i set out to configure the 5510.

however, I cannot get anything to work.

no ssh, no telnet, no pings, and certainly no RDP.

my guess is that problems abound with the way my acl's are set.

i'm attaching my sh run.

I took off the ssh from the configs and try to atleast get telnet working, but I was unsuccessful.

anyone have any suggestions, I would be so very thankful and appreciative!

also, is the outside router(gateway). is the IP of 5510 (outside) is the IP of 5510 (inside)

some of the inside devices have IP's starting with and I have static NAT configured so some of the inside devices can access the web and maybe print?

Community Member

Re: ASA5510 problems with NAT & ssh & RDP & ACl's

First off do you really need to limit access from your inside network to your outside network? Second for your internet users you should probably not do static NAT unless you only have 1 or 2 machines using the internet. You will also need to add the command "no nat-control", without this command anything that isnt getting NAT'd will not be allowed to pass the firewall. If you dont want to add it you need to NAT every address to itself for them to pass. That could be your biggest problem.

Please rate if this helps!

Community Member

Re: ASA5510 problems with NAT & ssh & RDP & ACl's

yes, I only have about 5 inside machines that need to access the web and an outside server to dump data. so NAT'ing the 5 devices should be ok.

my biggest concern is my ability to ssh into the firewall and for all outside users to be able to RDC into the inside machines. how do I set those two things up?

Cisco Employee

Re: ASA5510 problems with NAT & ssh & RDP & ACl's

Good point about "no nat-control", thefindjack. Remember that "no nat-control" is the default, though.

NAT control used to be the default in older versions, though, so "nat-control" can show up in the configuration if the device was upgraded from an older version of the software.



Cisco Employee

Re: ASA5510 problems with NAT & ssh & RDP & ACl's


You can't even ping the outside address of the ASA? You should, based on the configuration.

With regards to SSH access to the ASA, you need to explicitly permit SSH access. You do this with the "ssh" command, as in:



ssh outside

You also need to set the telnet password (which is also used for SSH if no AAA config.) via the command "password". You will then SSH in using the username "pix" and that password. You can also use "aaa authentication ssh console " to set up other authentication methods.

The statics for your Windows machines (which you'll access via RDP) look fine.

A potential problem I see is the ACL applied to the inside interface - it's too restrictive. If that is what you need that is okay, of course, but I recommend that you set the logging level to debug ("logging console debug" if you are at the console) and try to connect - you'll see the debugging messages indicating what traffic has been denied.

For the inside host to get out you need to configure NAT if your printers on the outside can't talk to the RFC 1918 address you are currently using on the inside. You can start with a simple NAT configuration. For example:

nat (inside) 1 0 0

global (outside) 1 interface

This will allow your internal hosts to go out using PAT and the outside interface of the ASA.

Hope this helps.

Community Member

Re: ASA5510 problems with NAT & ssh & RDP & ACl's

i consoled into the firewall and tried to ping my gateway router from the 5510's outside interface, i was not able to ping.

Then, I proceeded to ping one of the inside machines using the 5510 inside interface IP, again, I was not able to ping.

regarding ssh, yes, I had it configured as

ssh outside

but this did not work.

i double and triple checked my connections at the back of the 5510.

also, tried all the above via asdm but did not work.

I do remember inserting the no nat control command and then taking it off.....

Also, how can I make my acl's the least restrictive so I can atleast get the ssh/telnet working since the 5510 is in another bldg on my campus

i'm just at a loss of ideas...

Cisco Employee

Re: ASA5510 problems with NAT & ssh & RDP & ACl's

Does "sh int" on the ASA show the interfaces as up/up? And what about "sh int" on the switch the ASA is connected to? If the ASA is directly connected to a router or cable modem, are you using a crossover cable?

You can enable a packet capture and see what is going on. For example:

capture mycapture interface outside

Then try to ping and then run "show capture mycapture" to see what the ASA is seeing.

Nothing will work if you don't have basic IP connectivity first, so you need to fix that before you can move on to configuring SSH, NAT, etc.

Community Member

Re: ASA5510 problems with NAT & ssh & RDP & ACl's

ok. this is way too embarassing.

I had the cables plugged incorrectly into the 5510.

i don't know what to say...

now, ssh from outside works fine.

inside the 5510, all devices can ping the 5510.

how to enable asdm from outside?

when I try to launch the asdm, it gives me an error saying the device manager cannot be launched from the IP address (this is the 5510's outside interface IP).

Community Member

Re: ASA5510 problems with NAT & ssh & RDP & ACl's

ok. I finally got the asdm to work on the outside interface also.

but, i'm still stuck with the core problem of RDC.

i'm able to get to the logon screen of the inside devices but cannot successfully RDC in.

my access list 110 is applied to the ingress of interface outside.

maybe I need an access list on the interface inside also? ingress or egress?

this is my sh run

ASA Version 8.0(3)


hostname Cisco-5510

enable password xxx



interface Ethernet0/0

nameif outside

security-level 0

ip address 11.x.x.100


interface Ethernet0/1

description XYZ Network

nameif inside

security-level 100

ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd xxx

boot system disk0:/asa803-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 110 extended permit tcp any host eq 3389

access-list 110 extended permit tcp any host eq 3389

pager lines 24

logging enable

logging asdm informational

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-603.bin

static (inside,outside) netmask

static (inside,outside) netmask

access-group 110 in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http outside

http management

no crypto isakmp nat-traversal

telnet timeout 30

ssh outside

ssh inside

ssh timeout 15

: end

Cisco Employee

Re: ASA5510 problems with NAT & ssh & RDP & ACl's

You don't need an ACL applied to the inside interface unless you want to prevent some inside host from going out. This is because traffic from a high security interface (interface inside has a security level of 100) going to a low security interface (interface outside has a security level of 0) is permitted by default. The opposite (from low to high) is not permitted by default, which is why you need an ACL applied to the outside interface.

Anyway, back to the problem at hand - if you get the Windows logon screen things should work just fine. I can't see anything at layer 3 or 4 (on the ASA) that would prevent things from working.

When you say "cannot successfully RDC in", does the RDC window suddenly disappear, or you get some error message there? Can you RDC in successfully from to, for example? Any errors in the Windows event log?

Community Member

Re: ASA5510 problems with NAT & ssh & RDP & ACl's

yeah, the rdp is still an issue.

when I try a RDC from an outside device, I get a screen to enter my credentials. This screen DOES NOT mean that there is a valid IP transport present to the inside machine. I verified this with another machine that was switched off and I still got the credential screen.

anyways, once I enter the credentials (i verified that I had the correct username/passwd), the RDC is still blocked.

I fired up my asdm and enabled logging.

I see one error as shown below

6 Nov 15 2007 11:38:45 302014 Teardown TCP connection 261 for outside: to inside: duration 0:00:30 bytes 0 SYN Timeout

Also, yes, i can successfully RDC from to

Cisco Employee

Re: ASA5510 problems with NAT & ssh & RDP & ACl's

You need to enable the HTTPS server and configure HTTP access:

http server enable

http inside

http 255.255.0 outside

This enables the HTTPS server and then provides access from anywhere on the inside, and only from on the outside.

Then you need to specify the ASDM image, like:

asdm image flash:/asdm-523.bin

(based on the config. you provided you already have this, so you're good to go there.)

CreatePlease to create content