access-list outside_acl permit tcp any interface outside eq 2122
I don't understand
access-group outside_acl in interface outside
my confusion is: as reading this last line that you are telling the "access-group outside_acl" to use "interface outside" for all the incoming connections... but the rdp port 3389 and the media port 5001 are working even now without this line?
When you issue access-group outside_acl in interface outside after the access-list outside_acl permit tcp any interface outside eq 2122, you are applying the newly created line in access list outcide_acl to the outside interface, if you don't apply it the outside interface most likely will not allow tcp 2122 towards the natted address.
3389, 5001 are working because at some point in time the outside_acl access list for those ports were also apply to the outside interface in the same fasion.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...