Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA PAT/Static NAT Translation (What am I missing?)

I know this question has been asked a thousand times, and Ive read maybe 20-30 articles and cisco support forums, but I am still unable to get this thing working. I will even get a prompt to enter my password, but Remote Desktop will hang. Is this an issue with RDP and the ASA or possibly my NAT config? Thanks a ton to anyone who reads this. (Ive passed the ASA exam so this is doubly embarrassing)

Note: I am trying to have port 21 accept the connection for RDP and forward them to this box.

Ive included the config below but here are the meat and taters.

object network obj_rdpsrv

 nat (inside,outside) static interface service tcp 3389 ftp 

access-list 123 extended permit tcp any host eq 3389 

access-group 123 in interface outside


Note - packet tracer is happy with this too using the following parameters - 
packet-tracer input outside tcp 1234 <outside interface IP> 21 detailed

Everyone's tags (1)

Hi malering, Remove this line

Hi malering,


Remove this line.

no nat (inside,outside) static interface service tcp 3389 ftp


Copy this line instead:

nat (inside,outside) static interface service tcp 3389 3389



Rizwan Rafeek


Hi, Can you try the port



Can you try the port-forwarding with a high port numbers? such as 10389 or something else instead of using 21 which is a reserved port for ftp.... and also you have to check the rdp machine that it is accepting the forwarded port number for rdp connections?




CreatePlease login to create content