Solved: Update:

gasparmenendez · ‎06-08-2017

Hi friends,

I'm trying to reach ports 1930 and 1946 on a PC on my LAN from the internet. PC is accessing internet through outside interface. I'm mapping port 1930 to 11930 and 1946 to 11946. The problem is that this is not workig...Here's my NAT and Packet Tracer:

ASA5580# sh nat
Manual NAT Policies (Section 1)
1 (INSIDE_Prueba) to (OUTSIDE) source dynamic 172.X.X.0 interface
    translate_hits = 17722513, untranslate_hits = 3825414
2 (INSIDE_Prueba) to (OUTSIDE) source dynamic any interface
    translate_hits = 2862, untranslate_hits = 0
3 (CMTS) to (OUTSIDE) source dynamic 10.19.0.0 170.X.X.16
    translate_hits = 4766354, untranslate_hits = 1770891
4 (CMTS) to (OUTSIDE) source dynamic 10.27.0.0 170.X.X.17
    translate_hits = 29690167, untranslate_hits = 8198483
5 (CMTS) to (OUTSIDE) source dynamic 10.25.0.0 170.X.X.18
    translate_hits = 918075, untranslate_hits = 242734
6 (CMTS) to (OUTSIDE) source dynamic 10.9.0.0 170.X.X.9
    translate_hits = 28978302, untranslate_hits = 10294354
7 (CMTS) to (OUTSIDE) source dynamic 10.39.0.0 170.X.X.20
    translate_hits = 29606416, untranslate_hits = 9081192
8 (CMTS) to (OUTSIDE) source dynamic 10.11.0.0 170.X.X.11
    translate_hits = 53391770, untranslate_hits = 17761505
9 (CMTS) to (OUTSIDE) source dynamic 10.35.0.0 170.X.X.22
    translate_hits = 20305477, untranslate_hits = 6105534
10 (CMTS) to (OUTSIDE) source dynamic 10.33.0.0 170.X.X.23
    translate_hits = 6802561, untranslate_hits = 2604976
11 (CMTS) to (OUTSIDE) source dynamic 10.13.0.0 170.X.X.13
    translate_hits = 6120965, untranslate_hits = 2759715
12 (CMTS) to (OUTSIDE) source dynamic 10.17.0.0 170.X.X.25
    translate_hits = 14523516, untranslate_hits = 4719833
13 (CMTS) to (OUTSIDE) source dynamic 10.37.0.0 170.X.X.26
    translate_hits = 5232113, untranslate_hits = 2234926
14 (CMTS) to (OUTSIDE) source dynamic 10.41.0.0 170.X.X.27
    translate_hits = 1279407, untranslate_hits = 339487
15 (CMTS) to (OUTSIDE) source dynamic 10.45.0.0 170.X.X.28
    translate_hits = 25311146, untranslate_hits = 8981529
16 (CMTS) to (OUTSIDE) source dynamic 10.33.0.0 170.X.X.29
    translate_hits = 0, untranslate_hits = 0
17 (CMTS) to (OUTSIDE) source dynamic 10.45.0.0 170.X.X.19
    translate_hits = 0, untranslate_hits = 0
18 (CMTS) to (OUTSIDE) source dynamic 10.47.0.0 170.X.X.21
    translate_hits = 27731917, untranslate_hits = 9972706
19 (CMTS) to (OUTSIDE) source dynamic 10.49.0.0 170.X.X.24
    translate_hits = 3596176, untranslate_hits = 1267521
20 (CMTS) to (OUTSIDE) source dynamic 10.51.0.0 170.X.X.30
    translate_hits = 3759, untranslate_hits = 403

Auto NAT Policies (Section 2)
1 (CARRIERS) to (OUTSIDE) source static CentroValle_1930 interface   service tcp 1930 11930
    translate_hits = 0, untranslate_hits = 0
2 (CARRIERS) to (OUTSIDE) source static CentroValle_1946 interface   service tcp 1946 11946
    translate_hits = 0, untranslate_hits = 0
3 (CARRIERS) to (OUTSIDE) source static Prueba-10.227.225.210 170.X.X.3   service tcp 3389 13389
    translate_hits = 0, untranslate_hits = 40
4 (INSIDE_Prueba) to (OUTSIDE) source static ALTAI 170.X.X.4
    translate_hits = 0, untranslate_hits = 1060724

Manual NAT Policies (Section 3)
1 (CARRIERS) to (OUTSIDE) source dynamic any interface
    translate_hits = 73502076, untranslate_hits = 10380482
ASA5580#

ASA5580# packet-tracer input outside tcp 3.3.3.3 12345 170.X.X.2 11930

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 170.X.X.2 255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I'm seeing "Drop-reason: (acl-drop) Flow is denied by configured rule", but what rule??? Can anybody help me please??

Thanks in advance.

BR.

Francesco Molino · ‎06-09-2017

Hi

Did that came up after a reboot?

It's normal that your ip on internet is .2 because the traffic goes to your dynamic nat. You've just the nat with ip in .3 for rdp connection.

Why it's not working with ip .2:

Can you move your 2 dynamic nat from the top to the bottom by adding the keyword after-auto and test again?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-08-2017

Hi

Can you paste your acl config?

Packet-tracer is saying that ACL is dropping that traffic.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gasparmenendez · ‎06-08-2017

here are the acl config:

access-list CARRIERS_access_in extended permit ip 10.227.224.0 255.255.252.0 any
access-list CARRIERS_access_out extended permit ip any 10.227.224.0 255.255.252.0
access-list OUTSIDE_access_in remark Prueba
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.210 eq 3389
access-list OUTSIDE_access_in remark ALTAI
access-list OUTSIDE_access_in extended permit ip any object 172.X.X.22
access-list OUTSIDE_access_in remark Centro Valle
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.20 eq 1930
access-list OUTSIDE_access_in remark Centro Valle
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.20 eq 1946
access-list INSIDE_Prueba_access_in extended permit ip 192.168.62.0 255.255.255.0 any
access-list INSIDE_Prueba_access_in extended permit ip object 172.X.X.0 any

Francesco Molino · ‎06-08-2017

Hi

Could you share your config please?

On the nat statement I see the object CentroValle_1930 for tcp/1930 and on your acl it's object 10.227.225.20. I can't say if this is the same object.

You can remove all password in your config and change your public IP.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gasparmenendez · ‎06-08-2017

Here it is:

ASA5580# sh running-config
: Saved
:
ASA Version 8.4(5)
!
hostname ASA5580
enable password X encrypted
passwd X encrypted
names
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.0.44 255.255.255.0
!
interface Management0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/2
nameif CARRIERS
security-level 30
ip address 10.227.224.3 255.255.252.0
!
interface GigabitEthernet3/3
nameif INSIDE_Prueba
security-level 40
ip address 192.168.62.254 255.255.255.0
!
interface TenGigabitEthernet5/0
nameif CMTS
security-level 50
ip address 192.168.61.9 255.255.255.0
!
interface TenGigabitEthernet5/1
shutdown
no nameif
no security-level
no ip address
!
interface TenGigabitEthernet7/0
nameif OUTSIDE
security-level 0
ip address X.X.X.2 255.255.255.240
!
interface TenGigabitEthernet7/1
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network 10.19.0.0
subnet 10.19.0.0 255.255.0.0
object network X.X.X.3
host X.X.X.3
object network X.X.X.4
host X.X.X.4
object network X.X.X.5
host X.X.X.5
object network X.X.X.6
host X.X.X.6
object network X.X.X.7
host X.X.X.7
object network X.X.X.8
host X.X.X.8
object network X.X.X.9
host X.X.X.9
object network X.X.X.10
host X.X.X.10
object network X.X.X.11
host X.X.X.11
object network X.X.X.12
host X.X.X.12
object network X.X.X.13
host X.X.X.13
object network X.X.X.14
host X.X.X.14
object network 10.27.0.0
subnet 10.27.0.0 255.255.0.0
object network 10.25.0.0
subnet 10.25.0.0 255.255.0.0
object network 10.9.0.0
subnet 10.9.0.0 255.255.0.0
object network 10.39.0.0
subnet 10.39.0.0 255.255.0.0
object network 10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network 10.35.0.0
subnet 10.35.0.0 255.255.0.0
object network 10.33.0.0
subnet 10.33.0.0 255.255.0.0
object network 10.13.0.0
subnet 10.13.0.0 255.255.0.0
object network 10.17.0.0
subnet 10.17.0.0 255.255.0.0
object network 10.37.0.0
subnet 10.37.0.0 255.255.0.0
object network Pool_CMTS
range X.X.X.32 X.X.X.47
object network 10.41.0.0
subnet 10.41.0.0 255.255.0.0
object network 10.45.0.0
subnet 10.45.0.0 255.255.0.0
object network X.X.X.16
host X.X.X.16
object network X.X.X.17
host X.X.X.17
object network X.X.X.18
host X.X.X.18
object network X.X.X.19
host X.X.X.19
object network X.X.X.20
host X.X.X.20
object network X.X.X.21
host X.X.X.21
object network X.X.X.22
host X.X.X.22
object network X.X.X.23
host X.X.X.23
object network X.X.X.24
host X.X.X.24
object network X.X.X.25
host X.X.X.25
object network 10.47.0.0
subnet 10.47.0.0 255.255.0.0
object network X.X.X.26
host X.X.X.26
object network X.X.X.27
host X.X.X.27
object network X.X.X.28
host X.X.X.28
object network X.X.X.29
host X.X.X.29
object network X.X.X.30
host X.X.X.30
object network X.X.X.31
host X.X.X.31
object network 10.49.0.0
subnet 10.49.0.0 255.255.0.0
object network Z.Z.Z.136
host Z.Z.Z.136
object network Z.Z.Z.137
host Z.Z.Z.137
object network Z.Z.Z.138
host Z.Z.Z.138
object network Z.Z.Z.139
host Z.Z.Z.139
object network Z.Z.Z.140
host Z.Z.Z.140
object network Z.Z.Z.141
host Z.Z.Z.141
object network Z.Z.Z.142
host Z.Z.Z.142
object network Z.Z.Z.143
host Z.Z.Z.143
object network Z.Z.Z.144
host Z.Z.Z.144
object network Z.Z.Z.145
host Z.Z.Z.145
object network Z.Z.Z.146
host Z.Z.Z.146
object network Z.Z.Z.147
host Z.Z.Z.147
object network Z.Z.Z.148
host Z.Z.Z.148
object network Z.Z.Z.149
host Z.Z.Z.149
object network Z.Z.Z.150
host Z.Z.Z.150
object network Z.Z.Z.151
host Z.Z.Z.151
object network Z.Z.Z.152
host Z.Z.Z.152
object network Z.Z.Z.153
host Z.Z.Z.153
object network Z.Z.Z.154
host Z.Z.Z.154
object network Prueba-10.227.225.210
host 10.227.225.210
object network 10.227.225.210
host 10.227.225.210
object network Y.Y.Y.0
subnet Y.Y.Y.0 255.255.255.0
object network Y.Y.Y.22
host Y.Y.Y.22
object network ALTAI
host Y.Y.Y.22
object network 10.50.0.0
subnet 10.50.0.0 255.255.0.0
object network 10.51.0.0
subnet 10.51.0.0 255.255.0.0
object network 10.227.225.20
host 10.227.225.20
object network CentroValle_1930
host 10.227.225.20
object network CentroValle_1946
host 10.227.225.20
object network X.X.X.2
host X.X.X.2
access-list CARRIERS_access_in extended permit ip 10.227.224.0 255.255.252.0 any
access-list CARRIERS_access_out extended permit ip any 10.227.224.0 255.255.252.0
access-list OUTSIDE_access_in remark Prueba
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.210 eq 3389
access-list OUTSIDE_access_in remark ALTAI
access-list OUTSIDE_access_in extended permit ip any object Y.Y.Y.22
access-list OUTSIDE_access_in remark Centro Valle
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.20 eq 1930
access-list OUTSIDE_access_in remark Centro Valle
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.20 eq 1946
access-list INSIDE_Prueba_access_in extended permit ip 192.168.62.0 255.255.255.0 any
access-list INSIDE_Prueba_access_in extended permit ip object Y.Y.Y.0 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu OUTSIDE 1500
mtu CARRIERS 1500
mtu INSIDE_Prueba 1500
mtu CMTS 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INSIDE_Prueba,OUTSIDE) source dynamic Y.Y.Y.0 interface
nat (INSIDE_Prueba,OUTSIDE) source dynamic any interface
nat (CMTS,OUTSIDE) source dynamic 10.19.0.0 X.X.X.16
nat (CMTS,OUTSIDE) source dynamic 10.27.0.0 X.X.X.17
nat (CMTS,OUTSIDE) source dynamic 10.25.0.0 X.X.X.18
nat (CMTS,OUTSIDE) source dynamic 10.9.0.0 X.X.X.9
nat (CMTS,OUTSIDE) source dynamic 10.39.0.0 X.X.X.20
nat (CMTS,OUTSIDE) source dynamic 10.11.0.0 X.X.X.11
nat (CMTS,OUTSIDE) source dynamic 10.35.0.0 X.X.X.22
nat (CMTS,OUTSIDE) source dynamic 10.33.0.0 X.X.X.23
nat (CMTS,OUTSIDE) source dynamic 10.13.0.0 X.X.X.13
nat (CMTS,OUTSIDE) source dynamic 10.17.0.0 X.X.X.25
nat (CMTS,OUTSIDE) source dynamic 10.37.0.0 X.X.X.26
nat (CMTS,OUTSIDE) source dynamic 10.41.0.0 X.X.X.27
nat (CMTS,OUTSIDE) source dynamic 10.45.0.0 X.X.X.28
nat (CMTS,OUTSIDE) source dynamic 10.33.0.0 X.X.X.29
nat (CMTS,OUTSIDE) source dynamic 10.45.0.0 X.X.X.19
nat (CMTS,OUTSIDE) source dynamic 10.47.0.0 X.X.X.21
nat (CMTS,OUTSIDE) source dynamic 10.49.0.0 X.X.X.24
nat (CMTS,OUTSIDE) source dynamic 10.51.0.0 X.X.X.30
!
object network Prueba-10.227.225.210
nat (CARRIERS,OUTSIDE) static X.X.X.3 service tcp 3389 13389
object network ALTAI
nat (INSIDE_Prueba,OUTSIDE) static X.X.X.4
object network CentroValle_1930
nat (CARRIERS,OUTSIDE) static interface service tcp 1930 11930
object network CentroValle_1946
nat (CARRIERS,OUTSIDE) static interface service tcp 1946 11946
!
nat (CARRIERS,OUTSIDE) after-auto source dynamic any interface
access-group OUTSIDE_access_in in interface OUTSIDE
access-group CARRIERS_access_in in interface CARRIERS
access-group CARRIERS_access_out out interface CARRIERS
access-group INSIDE_Prueba_access_in in interface INSIDE_Prueba
route OUTSIDE 0.0.0.0 0.0.0.0 X.X.X.1 1
route CMTS 10.8.0.0 255.255.0.0 192.168.61.102 1
route CMTS 10.9.0.0 255.255.0.0 192.168.61.102 1
route CMTS 10.10.0.0 255.255.0.0 192.168.61.101 1
route CMTS 10.11.0.0 255.255.0.0 192.168.61.101 1
route CMTS 10.12.0.0 255.255.0.0 192.168.61.114 1
route CMTS 10.13.0.0 255.255.0.0 192.168.61.114 1
route CMTS 10.16.0.0 255.255.0.0 192.168.61.112 1
route CMTS 10.17.0.0 255.255.0.0 192.168.61.112 1
route CMTS 10.18.0.0 255.255.0.0 192.168.61.111 1
route CMTS 10.19.0.0 255.255.0.0 192.168.61.111 1
route CMTS 10.24.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.25.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.26.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.27.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.32.0.0 255.255.0.0 192.168.61.130 1
route CMTS 10.33.0.0 255.255.0.0 192.168.61.130 1
route CMTS 10.34.0.0 255.255.0.0 192.168.61.131 1
route CMTS 10.35.0.0 255.255.0.0 192.168.61.131 1
route CMTS 10.36.0.0 255.255.0.0 192.168.61.132 1
route CMTS 10.37.0.0 255.255.0.0 192.168.61.132 1
route CMTS 10.38.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.39.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.40.0.0 255.255.0.0 192.168.61.134 1
route CMTS 10.41.0.0 255.255.0.0 192.168.61.134 1
route CMTS 10.44.0.0 255.255.0.0 192.168.61.135 1
route CMTS 10.45.0.0 255.255.0.0 192.168.61.135 1
route CMTS 10.46.0.0 255.255.0.0 192.168.61.137 1
route CMTS 10.47.0.0 255.255.0.0 192.168.61.137 1
route CMTS 10.48.0.0 255.255.0.0 192.168.61.138 1
route CMTS 10.49.0.0 255.255.0.0 192.168.61.138 1
route CMTS 10.50.0.0 255.255.0.0 192.168.61.139 1
route CMTS 10.51.0.0 255.255.0.0 192.168.61.139 1
route INSIDE_Prueba Y.Y.Y.0 255.255.255.0 192.168.62.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
snmp-server host management 192.168.0.2 community ***** udp-port 161
snmp-server location Site-Dg
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username fermin password X encrypted privilege 15
username gaspar password X encrypted privilege 15
username extra password X encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 7
subscribe-to-alert-group configuration periodic monthly 7
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:fX
: end
ASA5580#

Francesco Molino · ‎06-08-2017

It looks good.

Can you redo the packet tracer:

packet-tracer input outside tcp 3.3.3.3 12345 Public_IP 11930

and paste the output?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gasparmenendez · ‎06-08-2017

the same thing:

ASA5580# packet-tracer input outside tcp 3.3.3.3 12345 170.X.X.2 11930

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 170.X.X.2 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

and I'm agree with you, all looks good....

???

Francesco Molino · ‎06-08-2017

Are you able to do a teamviewer?

If Yes, ping me by private chat and we'll figure it out.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gasparmenendez · ‎06-08-2017

Ok my friend, tomorrow morning then...

Francesco Molino · ‎06-08-2017

Ok we will try. I'm in EST timezone

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gasparmenendez · ‎06-08-2017

sorry, how can I contact by private???? by the way, I´m in EST too...

Francesco Molino · ‎06-08-2017

Through this forum you can send me a private message if you go to your profile and message.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gasparmenendez · ‎06-09-2017

Update:

I can now access through remote desktop to PC 10.227.224.210...

the rule I've made for this is pointing to public ip 170.X.X.3 and the PC when I run speedtest shows 170.X.X.2 ???? it's crazy, isn't it???

Another update:

when I change the rule to public ip 170.X.X.3 everything works fine (ports 1930 and 1946). The problem seems to occur when I use OUTSIDE interface...

any ideas???

Francesco Molino · ‎06-09-2017

Hi

Did that came up after a reboot?

It's normal that your ip on internet is .2 because the traffic goes to your dynamic nat. You've just the nat with ip in .3 for rdp connection.

Why it's not working with ip .2:

Can you move your 2 dynamic nat from the top to the bottom by adding the keyword after-auto and test again?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gasparmenendez · ‎06-09-2017

Hi:

I still don´t reboot, I had planned to do it tomorrow at 5 am in the morning but know I don´t think I will...

Why it's not working with ip .2 is the one million dollar question...

tomorrow I´ll try what you suggest and post results.

Thanks!!

ASA 5580 port forwarding new problem