I have changed the NAT expression accordingly. But unfortunately it did not change the situation. I still can not connect. Furthermore, I do not see any syslog messages in the GUI. Do I have to enable some debugging?

Regards,

Eyad Tayeb.

Sorry, just looked at your acl and that was wrong also.

Should be.

access-list Outside_access_in extended permit tcp any host [external server ip] eq 3389

This allows any ip (Internet) to connect to the exteranl ip. The static nat will then xlate that to the internal ip.

make sure you clear the xlate after making these changes.

Ok, you got me confused.

An external server IP? Do I need that?

What I want do do is:

From a notebook that has a public static IP Address (ipA) I wish to connect to the only public static IP of my ASA (ipB) on port 11111 with RDP. The ASA then should redirect that connection to a single server on my trusted network (ipC) on port 3389.

The public IP of my ASA is the only one I have. to that IP there also are several IPSec VPNs connecting.

And how do I clear "xlate"?

Thanks!

Regards,

Eyad Tayeb.

This is what you had.

static (Outside,Inside) tcp [internal server ip] 3389 [my public notebook ip] 11111 netmask 255.255.255.255

access-list Outside_access_in extended permit tcp host [my public notebook ip] host [internal server ip] eq 3389

In order for this to work it should be:

static (inside,outside) tcp [my public notebook ip] 11111 [internal server ip] 3389 netmask 255.255.255.255

access-list Outside_access_in extended permit tcp any host [my public notebook ip] eq 11111

When traffic from any ip from the Internet hits [my public notebook ip] on port 11111 it will be translated to [internal server ip] on port 3389

"clear xlate" is the command to clear xlate.

Thanks, but it still does not work.

I have changed the NAT rule and the ACL acordingly.

But still I can not establish a RDP session (the connection to [public ASA IP]:11111 timed out). And I do not see anything in the SYSLOG window in the ASA home tab.

When I e.g. try to connect to the ASA from the same notebook via Telnet, I get a entry in the SYSLOG (Denied by ACL. Correct, I have not allowed telnet), so the traffic reaches the ASA.

Is there any way to debug NAT or the ACL?

Regards,

Eyad Tayeb.

sh xlate to see the translations in the table

sh conn to see current connections.

sh access-list which should give you the hit count for the acl. If your not seeing hits on the acl then the traffic isn't reaching it.

The reaffic does seem to reach the ASA, it just does not translate it.

If I enter [ASA IP]:23 into the RDP client, I get a Deny by ACL message in syslog. If I enter [ASA IP]:11111 into the RDP client, I get nothing!

With sh xlate, it get:

2 in use, 100 most used

PAT Global [public ip of ASA](1129) Local [random IP of internal server](2860)

PAT Global [public ip of my notebook](5000) Local [internal server address](3389)

There are no hits on the rule in Outside_access_in.

can you post your config.

please find attached my config

Regards,

Eyad Tayeb.

ok, now with attachment...

Can you post but instead of removing the ip just X out the 2nd and 3rd octets.

OK, confusion city!!

Again my config, now with Addresses Xed out instead of removing them.