ASA 5520 supports ASDM management which is GUI based tool. This provides packet tracer tool
where you can define source IP, Destination IP, source Interface, Source Port, and Destination Port. This will help you to identify where exactly problem you have. The problem appears to be in reverse NAT or security policy. This would be more clarified by information shared in document
%PIX|ASA-2-106001: Inbound TCP connection denied from IP_address/port
to IP_address/port flags tcp_flags on interface interface_name
This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by the security policy that is defined for the specified traffic type. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.
The tcp_flags are as follows:
ACK—The acknowledgment number was received.
FIN—Data was sent.
PSH—The receiver passed data to the application.
RST—The connection was reset.
SYN—Sequence numbers were synchronized to start a connection.
URG—The urgent pointer was declared valid.
There are many reasons for static translation to fail on the PIX/ASA. But, a common reason is if the demilitarized zone (DMZ) interface is configured with the same security level (0) as the outside interface.
In order to resolve this issue, assign a different security level to all interfaces
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...