Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NATing issue in ASA image 9.0

Dear Expters,

I want to configure NATing for the specifc Server inside the Secured LAN zone (

That server need to provide only access thorugh RDP/3189 port from only one iP address.

Inside IP address :

NATedIP address :

Firewall Outside IP address :

Out side iP address accessing the sever via RDP port =

Port TCP/UDP - 3189

Firewall Details :

Name: "Chassis", DESCR: "ASA 5505 Adaptive Security Appliance"

PID: ASA5505           , VID: V12     , SN: JMX17214138

System image file is "disk0:/asa901-k8.bin"

ASDM version - 7.1(1)52

COnfiguration appllied :

object network CRNCTL


object network CRNCTL_NATed


object network Temp_Admin


object service Remote_Desktop

service tcp destination eq 3189

description Remote_Desktop

object service RDP

service udp destination eq 3189

description RDP

object-group service TEMP

description TEMP

service-object object Remote_Desktop

service-object object RDP

object network CRNCTL

nat (inside,outside) static CRNCTL_NATed

access-list outside_access_in extended permit object-group TEMP object Temp_Admin object CRNCTL_NATed


access-group outside_access_in in interface outside

But it's not working.

When I am applying

access-list outside_access_in extended permit ip any any.

Than it's working.

Please help to resolve this issue.               

Super Bronze

NATing issue in ASA image 9.0


There are atleast 1 problem, probably 2.

  • You have defined the RDP services port as TCP/3189 (and UDP/3189). Is the server really listening on the port 3189? The default port is TCP/3389
  • You have allowed the traffic to the NAT IP address. In the software levels 8.3 (and above) you will always allow the traffic to the real/local IP address, never to the NAT IP address. This is because of the NAT changes introduced in the new software levels.

So I would suggest the following options depending if the above port used was a typo/mistake or not

access-list outside_access_in permit tcp object Temp_Admin object CRNCTL eq 3389

access-list outside_access_in permit tcp object Temp_Admin object CRNCTL eq 3189

Hope this helps

Let me know how it goes.

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

CreatePlease to create content