I changed the nat to:

static (inside,outside) tcp 192.168.100.93 3403 10.10.10.3 3403 netmask 255.255.255.255

Which seems backwards to me, but I'll try anything at this point. The traffic is still not making it through. For clarification since they're both private addresses, the 10.10.10.3 address is the outside interface of the ASA and the 192.168.100.93 is the machine I'm trying to get to. Thanks.

Brian

Brian

Change static statement to

static (inside,outside) tcp interface 3403 192.168.100.93 3403 netmask 255.255.255.255

The static statements do indeed seem backwards - one of the PIX/ASA idiosyncracies.

Jon

Yup I forgot to mention you have to swap the IPs as well. The Static command is like a sandwich :)

static (inside,outside) outside-ip inside-ip

'inside' is the bread :) and the 'outside' is the filling inside it.

Regards

Farrukh

Still the same result, not getting through. I don't put much faith in the packet trace program in the ASDM, but no matter which way I've configured the NAT it always shows the packet as being blocked by the implicit deny on the outside interface, shouldn't the allow rule right above it fire and allow the packet through?

You need to change your access-list from

access-list outside_access_in extended permit tcp any host 192.168.100.93 eq 3403

to

access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3403

Jon

I really appreciate all of the help, I can't believe I'm fighting this so much, I've done it on other boxes, always worked. Anyhow here's the latest running config, at some point I've had all of the suggestions implemented, none have yet got me through. Thanks.

Config looks good. Just to clarify

You are on a machine on the outside of your ASA and you are trying to access the machine

10.10.10.3 on port 3403

Is the above correct ?

Also you may need to clear your xlate table as you have changed your static translations

"clear xlate"

will clear translations. This will clear all existing connections so don't run if there is a lot of other traffic going through your firewall but it doesn't look like that from your ADSM graphic.

You can specify the exact xlate if needed.

Jon

No, the 10.10.10.3 is the OUTSIDE (Eth0) address of the ASA. The 192.168.100.93 is the machine inside the ASA and I'm trying to connect using 3403.

But your are Natting 192.168.100.93 to 10.10.10.3.

So when you try and connect to the internal machine from outside you need to try and connect to

10.10.10.3 on port 3403.

If you want to be able to connect directly to 192.168.100.93 then we need to change your config again.

Jon

I think originally I was natting 10.10.10.3 to 192.168.100.93. What I need to do is if a packet hits 10.10.10.3:3403 it needs to be natted and passed to 192168.100.93:3403. I think the config would be:

static (inside,outside)10.10.10.3 3403 192.168.100.93 3403 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 192.168.100.93 eq 3403

access-group outside_access_in in interface outside

That static nat throws a "global address overlaps with mask" error though. At one point I had the above commands in but with the ip's in the static reversed(192 then 10), that nat was accepted, but I still couldn't get through. Since it's confusing with 2 private addresses the 192 is the machine on the inside and the 10.10.10.3 is the eth0 interface of the ASA.

static (inside,outside) tcp interface 3403 192.168.100.93 3403 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3403

access-group outside_access_in in interface outside

then

"clear xlate"

Then you need to try and connect to 10.10.10.3 3403 from outside.

Jon

acl should have worked as suggested by others

try this which should also work

no access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3403

access-list outside_access_in extended permit tcp any interface outside eq 3403

make sure server is listening on that 3403 port.

[edit]

change the static nat as Jon had suggested and make corrections on the acl I provided, it does work this way.

static (inside,outside) tcp interface 3403 192.168.100.93 3403 netmask 255.255.255.255