topic Okay, the other way is to in Network Security

ASA 5580 port forwarding problem

gasparmenendez — Tue, 12 Mar 2019 09:17:36 GMT

Hi folks,

I've been trying to access to the Remote Desktop of a PC in my LAN (behind the ASA) but no luck so far. Inside the LAN I can access to the RD without problem, the problem is from internet (public IP address). I'm configuring ASA through ASDM but here are some lines related to the access from outside:

object network 170.X.X.3
host 170.X.X.3

object network Prueba-10.227.225.210
host 10.227.225.210
object network 10.227.225.210
host 10.227.225.210

access-list OUTSIDE_access_in remark Prueba
access-list OUTSIDE_access_in extended permit tcp any object 170.X.X.3 eq 13389

object network Prueba-10.227.225.210
nat (CARRIERS,OUTSIDE) static 170.X.X.3 service tcp 3389 13389

From internet (Linux PC) I type: rdesktop 170.X.X.3:13389 but nothing happens....Can anybody helpme please??? Thanks in advance.

BR.

Your acl should refer to the

Jon Marshall — Fri, 28 Apr 2017 19:24:54 GMT

Your acl should refer to the real IP ie. 10.227.225.10 so can you modify your acl and try again.

Jon

changed for:

gasparmenendez — Fri, 28 Apr 2017 20:44:26 GMT

changed for:

access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.210 eq 13389

but the same, nothing happened...

anyway I think the acl should refer to the public IP because is applied in the OUTSIDE interface....right???

any more ideas??

P.S: forgot to mention that PC in the LAN is behind a Router Cisco 1841 but I have redirected the port to the PC, here is the important of 1841:

interface FastEthernet0/0
ip address 10.227.225.210 255.255.252.0

interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0

ip nat inside source static tcp 192.168.1.51 3389 interface FastEthernet0/0 3389

With 8.3 code onwards the acl

Jon Marshall — Fri, 28 Apr 2017 20:54:28 GMT

With 8.3 code onwards the acl should use the real IP.

Have you run a packet tracer on the ASA to see where it is failing (assuming it is failing on the ASA).

Jon

my ASA is 8.4(5) but I think

gasparmenendez — Fri, 28 Apr 2017 21:03:40 GMT

my ASA is 8.4(5) but I think is the same that 8.3...

sorry for ask but what would be the packet tracer command??

It is a command that allows

Jon Marshall — Fri, 28 Apr 2017 21:08:22 GMT

It is a command that allows you to simulate a packet being sent through the ASA.

Run this command and post the result -

"packet-tracer input outside tcp 3.3.3.3 12345 170.x.x.3 13389"

Jon

here's the result:

gasparmenendez — Fri, 28 Apr 2017 21:14:45 GMT

here's the result:

ASA5580# packet-tracer input outside tcp 3.3.3.3 12345 170.X.X.3 13389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 170.X.X.0 255.255.255.240 OUTSIDE

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Did you leave the acl

Jon Marshall — Fri, 28 Apr 2017 21:17:23 GMT

Did you leave the acl referencing the real IP ?

If so can you post a "sh nat"

Jon

I let the one you told me,

gasparmenendez — Fri, 28 Apr 2017 21:25:39 GMT

I let the one you told me, here's the sh nat:

ASA5580# sh nat
Manual NAT Policies (Section 1)
1 (CMTS) to (OUTSIDE) source dynamic 10.19.0.0 170.X.X.16
    translate_hits = 0, untranslate_hits = 0
2 (CMTS) to (OUTSIDE) source dynamic 10.27.0.0 170.X.X.17
    translate_hits = 47851778, untranslate_hits = 15151388
3 (CMTS) to (OUTSIDE) source dynamic 10.25.0.0 170.X.X.18
    translate_hits = 8256808, untranslate_hits = 3494235
4 (CMTS) to (OUTSIDE) source dynamic 10.9.0.0 170.X.X.9
    translate_hits = 0, untranslate_hits = 0
5 (CMTS) to (OUTSIDE) source dynamic 10.39.0.0 170.X.X.20
    translate_hits = 54942446, untranslate_hits = 19970221
6 (CMTS) to (OUTSIDE) source dynamic 10.11.0.0 170.X.X.11
    translate_hits = 0, untranslate_hits = 0
7 (CMTS) to (OUTSIDE) source dynamic 10.35.0.0 170.X.X.22
    translate_hits = 38187414, untranslate_hits = 9971950
8 (CMTS) to (OUTSIDE) source dynamic 10.33.0.0 170.X.X.23
    translate_hits = 8550911, untranslate_hits = 2721063
9 (CMTS) to (OUTSIDE) source dynamic 10.13.0.0 170.X.X.13
    translate_hits = 13188096, untranslate_hits = 5397774
10 (CMTS) to (OUTSIDE) source dynamic 10.17.0.0 170.X.X.25
    translate_hits = 30375943, untranslate_hits = 12193290
11 (CMTS) to (OUTSIDE) source dynamic 10.37.0.0 170.X.X.26
    translate_hits = 10078767, untranslate_hits = 4322498
12 (CMTS) to (OUTSIDE) source dynamic 10.41.0.0 170.X.X.27
    translate_hits = 3769501, untranslate_hits = 1460400
13 (CMTS) to (OUTSIDE) source dynamic 10.45.0.0 170.X.X.28
    translate_hits = 43901686, untranslate_hits = 14100249
14 (CMTS) to (OUTSIDE) source dynamic 10.33.0.0 170.X.X.29
    translate_hits = 0, untranslate_hits = 0
15 (CMTS) to (OUTSIDE) source dynamic 10.45.0.0 170.X.X.19
    translate_hits = 0, untranslate_hits = 0
16 (CMTS) to (OUTSIDE) source dynamic 10.47.0.0 170.X.X.21
    translate_hits = 37849891, untranslate_hits = 12194900
17 (CMTS) to (OUTSIDE) source dynamic 10.49.0.0 170.X.X.24
    translate_hits = 60001, untranslate_hits = 22381
18 (CARRIERS) to (OUTSIDE) source dynamic any 170.X.X.3
    translate_hits = 87438, untranslate_hits = 2238

Auto NAT Policies (Section 2)
1 (CARRIERS) to (OUTSIDE) source static Prueba-10.227.225.210 170.X.X.3   service tcp 3389 13389
    translate_hits = 0, untranslate_hits = 0

You can see your NAT

Jon Marshall — Fri, 28 Apr 2017 21:38:31 GMT

You can see your NAT statement has no hits and that is because it is hitting rule 18 above it.

So ideally we need to move that rule ie.

"no nat (CARRIERS,OUTSIDE) source dynamic any interface"

and then add this -

"nat (CARRIERS,OUTSIDE) after-auto source dynamic any interface"

however it depends if there are currently users accessing the internet via the CARRIERS interface, so can you change it now, and if you can't we can try something else.

Jon

I have only one client

gasparmenendez — Fri, 28 Apr 2017 21:50:16 GMT

I have only one client accessing to the internet via CARRIERS interface...my question is: if we move the rule as you say, the client lose internet access for how much time???

If they lose access at all it

Jon Marshall — Fri, 28 Apr 2017 21:54:41 GMT

If they lose access at all it should simply be as long as it takes you to move the rule.

Jon

maybe is better to wait for

gasparmenendez — Fri, 28 Apr 2017 22:00:49 GMT

maybe is better to wait for the client leave his office...I'll be pending and get back to you...

Thanks!!!

Okay, the other way is to

Jon Marshall — Fri, 28 Apr 2017 22:17:31 GMT

Okay, the other way is to move your NAT rule before rule 18 in the first section and you can do this without affecting the current user(s).

So try this -

"nat (CARRIERS,OUTSIDE) line 18 source static Prueba-10.227.225.210 170.x.x.3 tcp 3389 13889"

then run a "sh nat" to make sure that rule is before the current rule 18, then retest.

If it still doesn't work can you run the packet tracer again and post results.

Jon

Hi Jon, sorry for the delay..

gasparmenendez — Sat, 29 Apr 2017 03:39:24 GMT

Hi Jon, sorry for the delay...

the NAT rules stayed like this:

!
object network Prueba-10.227.225.210
nat (CARRIERS,OUTSIDE) static 170.X.X.3 service tcp 3389 13389
!
nat (CARRIERS,OUTSIDE) after-auto source dynamic any interface
access-group OUTSIDE_access_in in interface OUTSIDE
access-group CARRIERS_access_in in interface CARRIERS
access-group CARRIERS_access_out out interface CARRIERS

but still didn´t work...

sh nat:

ASA5580# sh nat
Manual NAT Policies (Section 1)
1 (CMTS) to (OUTSIDE) source dynamic 10.19.0.0 170.X.X.16
translate_hits = 0, untranslate_hits = 0
2 (CMTS) to (OUTSIDE) source dynamic 10.27.0.0 170.X.X.17
translate_hits = 49751334, untranslate_hits = 15740716
3 (CMTS) to (OUTSIDE) source dynamic 10.25.0.0 170.X.X.18
translate_hits = 8256808, untranslate_hits = 3494235
4 (CMTS) to (OUTSIDE) source dynamic 10.9.0.0 170.X.X.9
translate_hits = 0, untranslate_hits = 0
5 (CMTS) to (OUTSIDE) source dynamic 10.39.0.0 170.X.X.20
translate_hits = 57055449, untranslate_hits = 20689126
6 (CMTS) to (OUTSIDE) source dynamic 10.11.0.0 170.X.X.11
translate_hits = 0, untranslate_hits = 0
7 (CMTS) to (OUTSIDE) source dynamic 10.35.0.0 170.X.X.22
translate_hits = 39376285, untranslate_hits = 10284317
8 (CMTS) to (OUTSIDE) source dynamic 10.33.0.0 170.X.X.23
translate_hits = 8913774, untranslate_hits = 2845519
9 (CMTS) to (OUTSIDE) source dynamic 10.13.0.0 170.X.X.13
translate_hits = 13655111, untranslate_hits = 5515360
10 (CMTS) to (OUTSIDE) source dynamic 10.17.0.0 170.X.X.25
translate_hits = 31540644, untranslate_hits = 12565071
11 (CMTS) to (OUTSIDE) source dynamic 10.37.0.0 170.X.X.26
translate_hits = 10442663, untranslate_hits = 4446410
12 (CMTS) to (OUTSIDE) source dynamic 10.41.0.0 170.X.X.27
translate_hits = 3940024, untranslate_hits = 1511366
13 (CMTS) to (OUTSIDE) source dynamic 10.45.0.0 170.X.X.28
translate_hits = 45668378, untranslate_hits = 14714553
14 (CMTS) to (OUTSIDE) source dynamic 10.33.0.0 170.X.X.29
translate_hits = 0, untranslate_hits = 0
15 (CMTS) to (OUTSIDE) source dynamic 10.45.0.0 170.X.X.19
translate_hits = 0, untranslate_hits = 0
16 (CMTS) to (OUTSIDE) source dynamic 10.47.0.0 170.X.X.21
translate_hits = 39816979, untranslate_hits = 12897500
17 (CMTS) to (OUTSIDE) source dynamic 10.49.0.0 170.X.X.24
translate_hits = 68919, untranslate_hits = 27873

Auto NAT Policies (Section 2)
1 (CARRIERS) to (OUTSIDE) source static Prueba-10.227.225.210 170.X.X.3 service tcp 3389 13389
translate_hits = 0, untranslate_hits = 17

Manual NAT Policies (Section 3)
1 (CARRIERS) to (OUTSIDE) source dynamic any interface
translate_hits = 16607, untranslate_hits = 766
ASA5580#

You are getting hits now on

Jon Marshall — Sat, 29 Apr 2017 10:42:56 GMT

You are getting hits now on your NAT though so something else is now the problem.

Can you run packet tracer again and it should show something different this time.

Jon

here's packet tracer:

gasparmenendez — Sat, 29 Apr 2017 15:27:05 GMT

here's packet tracer:

ASA5580# packet-tracer input outside tcp 3.3.3.3 12345 170.X.X.3 13389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Prueba-10.227.225.210
nat (CARRIERS,OUTSIDE) static 170.X.X.3 service tcp 3389 13389
Additional Information:
NAT divert to egress interface CARRIERS
Untranslate 170.X.X.3/13389 to 10.227.225.210/3389

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: CARRIERS
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Well the NAT is now working

Jon Marshall — Sat, 29 Apr 2017 16:28:57 GMT

Well the NAT is now working but it is still getting dropped.

Can you just post the configuration of the ASA ?

Jon

whole configuration:

gasparmenendez — Sat, 29 Apr 2017 16:37:58 GMT

whole configuration:

ASA5580# sh run
ASA5580# sh running-config
: Saved
:
ASA Version 8.4(5)
!
hostname ASA5580
enable password TFyi2xrsdagfdsgfdsgfd encrypted
passwd 2KFQnbNIdI.2sdaga encrypted
names
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.0.44 255.255.255.0
!
interface Management0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/1
nameif CMTS
security-level 50
ip address 192.168.61.9 255.255.255.0
!
interface GigabitEthernet3/2
nameif CARRIERS
security-level 30
ip address 10.227.224.3 255.255.252.0
!
interface GigabitEthernet3/3
nameif CMTS1
security-level 40
ip address 192.168.62.254 255.255.255.0
!
interface TenGigabitEthernet5/0
shutdown
no nameif
no security-level
no ip address
!
interface TenGigabitEthernet5/1
shutdown
no nameif
no security-level
no ip address
!
interface TenGigabitEthernet7/0
nameif OUTSIDE
security-level 0
ip address 170.X.X.2 255.255.255.240
!
interface TenGigabitEthernet7/1
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network 10.19.0.0
subnet 10.19.0.0 255.255.0.0
object network 170.X.X.3
host 170.X.X.3
object network 170.X.X.4
host 170.X.X.4
object network 170.X.X.5
host 170.X.X.5
object network 170.X.X.6
host 170.X.X.6
object network 170.X.X.7
host 170.X.X.7
object network 170.X.X.8
host 170.X.X.8
object network 170.X.X.9
host 170.X.X.9
object network 170.X.X.10
host 170.X.X.10
object network 170.X.X.11
host 170.X.X.11
object network 170.X.X.12
host 170.X.X.12
object network 170.X.X.13
host 170.X.X.13
object network 170.X.X.14
host 170.X.X.14
object network 10.27.0.0
subnet 10.27.0.0 255.255.0.0
object network 10.25.0.0
subnet 10.25.0.0 255.255.0.0
object network 10.9.0.0
subnet 10.9.0.0 255.255.0.0
object network 10.39.0.0
subnet 10.39.0.0 255.255.0.0
object network 10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network 10.35.0.0
subnet 10.35.0.0 255.255.0.0
object network 10.33.0.0
subnet 10.33.0.0 255.255.0.0
object network 10.13.0.0
subnet 10.13.0.0 255.255.0.0
object network 10.17.0.0
subnet 10.17.0.0 255.255.0.0
object network 10.37.0.0
subnet 10.37.0.0 255.255.0.0
object network Pool_CMTS
range 170.X.X.32 170.X.X.47
object network 10.41.0.0
subnet 10.41.0.0 255.255.0.0
object network 10.45.0.0
subnet 10.45.0.0 255.255.0.0
object network 170.X.X.16
host 170.X.X.16
object network 170.X.X.17
host 170.X.X.17
object network 170.X.X.18
host 170.X.X.18
object network 170.X.X.19
host 170.X.X.19
object network 170.X.X.20
host 170.X.X.20
object network 170.X.X.21
host 170.X.X.21
object network 170.X.X.22
host 170.X.X.22
object network 170.X.X.23
host 170.X.X.23
object network 170.X.X.24
host 170.X.X.24
object network 170.X.X.25
host 170.X.X.25
object network 10.47.0.0
subnet 10.47.0.0 255.255.0.0
object network 170.X.X.26
host 170.X.X.26
object network 170.X.X.27
host 170.X.X.27
object network 170.X.X.28
host 170.X.X.28
object network 170.X.X.29
host 170.X.X.29
object network 170.X.X.30
host 170.X.X.30
object network 170.X.X.31
host 170.X.X.31
object network 10.49.0.0
subnet 10.49.0.0 255.255.0.0
object network 189.197.184.136
host 189.197.184.136
object network 189.197.184.137
host 189.197.184.137
object network 189.197.184.138
host 189.197.184.138
object network 189.197.184.139
host 189.197.184.139
object network 189.197.184.140
host 189.197.184.140
object network 189.197.184.141
host 189.197.184.141
object network 189.197.184.142
host 189.197.184.142
object network 189.197.184.143
host 189.197.184.143
object network 189.197.184.144
host 189.197.184.144
object network 189.197.184.145
host 189.197.184.145
object network 189.197.184.146
host 189.197.184.146
object network 189.197.184.147
host 189.197.184.147
object network 189.197.184.148
host 189.197.184.148
object network 189.197.184.149
host 189.197.184.149
object network 189.197.184.150
host 189.197.184.150
object network 189.197.184.151
host 189.197.184.151
object network 189.197.184.152
host 189.197.184.152
object network 189.197.184.153
host 189.197.184.153
object network 189.197.184.154
host 189.197.184.154
object network Prueba-10.227.225.210
host 10.227.225.210
object network 10.227.225.210
host 10.227.225.210
access-list CARRIERS_access_in extended permit ip 10.227.224.0 255.255.252.0 any
access-list CARRIERS_access_out extended permit ip any 10.227.224.0 255.255.252.0
access-list OUTSIDE_access_in remark Prueba
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.210 eq 13389
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu OUTSIDE 1500
mtu CMTS 1500
mtu CARRIERS 1500
mtu CMTS1 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any CMTS
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (CMTS,OUTSIDE) source dynamic 10.19.0.0 170.X.X.16
nat (CMTS,OUTSIDE) source dynamic 10.27.0.0 170.X.X.17
nat (CMTS,OUTSIDE) source dynamic 10.25.0.0 170.X.X.18
nat (CMTS,OUTSIDE) source dynamic 10.9.0.0 170.X.X.9
nat (CMTS,OUTSIDE) source dynamic 10.39.0.0 170.X.X.20
nat (CMTS,OUTSIDE) source dynamic 10.11.0.0 170.X.X.11
nat (CMTS,OUTSIDE) source dynamic 10.35.0.0 170.X.X.22
nat (CMTS,OUTSIDE) source dynamic 10.33.0.0 170.X.X.23
nat (CMTS,OUTSIDE) source dynamic 10.13.0.0 170.X.X.13
nat (CMTS,OUTSIDE) source dynamic 10.17.0.0 170.X.X.25
nat (CMTS,OUTSIDE) source dynamic 10.37.0.0 170.X.X.26
nat (CMTS,OUTSIDE) source dynamic 10.41.0.0 170.X.X.27
nat (CMTS,OUTSIDE) source dynamic 10.45.0.0 170.X.X.28
nat (CMTS,OUTSIDE) source dynamic 10.33.0.0 170.X.X.29
nat (CMTS,OUTSIDE) source dynamic 10.45.0.0 170.X.X.19
nat (CMTS,OUTSIDE) source dynamic 10.47.0.0 170.X.X.21
nat (CMTS,OUTSIDE) source dynamic 10.49.0.0 170.X.X.24
!
object network Prueba-10.227.225.210
nat (CARRIERS,OUTSIDE) static 170.X.X.3 service tcp 3389 13389
!
nat (CARRIERS,OUTSIDE) after-auto source dynamic any interface
access-group OUTSIDE_access_in in interface OUTSIDE
access-group CARRIERS_access_in in interface CARRIERS
access-group CARRIERS_access_out out interface CARRIERS
route OUTSIDE 0.0.0.0 0.0.0.0 170.X.X.1 1
route CMTS1 10.8.0.0 255.255.0.0 192.168.61.102 1
route CMTS1 10.9.0.0 255.255.0.0 192.168.61.102 1
route CMTS1 10.10.0.0 255.255.0.0 192.168.61.101 1
route CMTS1 10.11.0.0 255.255.0.0 192.168.61.101 1
route CMTS 10.12.0.0 255.255.0.0 192.168.61.114 1
route CMTS 10.13.0.0 255.255.0.0 192.168.61.114 1
route CMTS 10.16.0.0 255.255.0.0 192.168.61.112 1
route CMTS 10.17.0.0 255.255.0.0 192.168.61.112 1
route CMTS 10.18.0.0 255.255.0.0 192.168.61.111 1
route CMTS 10.19.0.0 255.255.0.0 192.168.61.111 1
route CMTS 10.24.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.25.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.26.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.27.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.32.0.0 255.255.0.0 192.168.61.130 1
route CMTS 10.33.0.0 255.255.0.0 192.168.61.130 1
route CMTS 10.34.0.0 255.255.0.0 192.168.61.131 1
route CMTS 10.35.0.0 255.255.0.0 192.168.61.131 1
route CMTS 10.36.0.0 255.255.0.0 192.168.61.132 1
route CMTS 10.37.0.0 255.255.0.0 192.168.61.132 1
route CMTS 10.38.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.39.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.40.0.0 255.255.0.0 192.168.61.134 1
route CMTS 10.41.0.0 255.255.0.0 192.168.61.134 1
route CMTS 10.44.0.0 255.255.0.0 192.168.61.135 1
route CMTS 10.45.0.0 255.255.0.0 192.168.61.135 1
route CMTS 10.46.0.0 255.255.0.0 192.168.61.137 1
route CMTS 10.47.0.0 255.255.0.0 192.168.61.137 1
route CMTS 10.48.0.0 255.255.0.0 192.168.61.138 1
route CMTS 10.49.0.0 255.255.0.0 192.168.61.138 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
snmp-server host management 192.168.0.2 community ***** udp-port 161
snmp-server location Site-Dg
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username gaspar password uFhUHzfbhfhfgfh encrypted privilege 15
username extra password Mgi9n5sdhgdfghgx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 7
subscribe-to-alert-group configuration periodic monthly 7
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:488ed4aadf6c81f3d85f4c87ce320e03
: end

Your acl on the outside

Jon Marshall — Sat, 29 Apr 2017 16:47:07 GMT

Your acl on the outside interface should be using the real port ie,. 3389 not the mapped one.

Can you modify, retest and if still no success packet tracer again.

Jon