static nat statement allowed IPS to miss a potential attack?
The reason that the attack ceased when you remove the NAT is probably due to that no external access is possible any more without that NAT-statement.
The reason that you missed the attack on the IPS has two reasons:
1) To my knowledge there is no signature for failed logins to an RDP-service. So the IPS can't act on it.
2) If there had been a signature, the thresholds had to be quite tight for an attack that only happens every two minutes. That leads to higher false-positive rate or missed attacks if the thresholds are set higher.
Here it seems that your security is working as you have a second soource of input (your log-files).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...