Hi,

I'm trying to configure inbound PAT on my ASA connected to a DSL modem. I want outside(internet) clients to rdp to tcp/10000 which will be translated to the inside destination 192.168.0.2/3389

I've tried a large number of config variations, but none seem to work. I'm wandering if there's a limitation around the DHCP on the outside?

Any help would be appreciated.

Cisco Adaptive Security Appliance Software Version 9.1(2)

The outside interface uses DHCP.

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 pppoe client vpdn group ADSL
 ip address pppoe setroute

Interface GigabitEthernet0/0 "outside", is up, line protocol is up
  Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is off
        MAC address 7426.acc9.c5d1, MTU 1492
        IP address 120.122.127.51, subnet mask 255.255.255.255
        1749471 packets input, 1905250337 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants

Outbound pat works fine with 'nat (internal,outside) source dynamic any interface'

Inbound requests produce the following logs

%ASA-7-710005: TCP request discarded from 121.129.42.129/6804 to outside:120.122.127.51/10000
%ASA-7-710005: TCP request discarded from 121.129.42.129/44230 to outside:120.122.127.51/10000

object network Host_RDPAPP02_192.168.0.2
 nat (internal,outside) static interface service tcp 10000 3389

If I try changing the nat to use the IP address instead of 'interface', I get the following:

BemsASA(config-network-object)# nat (internal,outside) static 120.122.127.51 service tcp 10000 3389
ERROR: Address 120.122.127.51 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
nat: policy not downloaded, constructing source mapped networks failed

BemsASA# packet-tracer in outside tcp 2.2.2.2 3454 192.168.0.2 3389 de

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.0.0     255.255.255.0   internal

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object RDP any object Host_RDPAPP02_192.168.0.2
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9e3dd190, priority=13, domain=permit, deny=false
        hits=2, user_data=0x7fff9b795dc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.0.2, mask=255.255.255.255, port=3389, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT     
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9eba5150, priority=0, domain=nat-per-session, deny=false
        hits=95984, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9f51b120, priority=0, domain=inspect-ip-options, deny=true
        hits=85111, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any
              
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (internal,outside) source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff9f699dc0, priority=6, domain=nat-reverse, deny=false
        hits=4, user_data=0x7fff9f695550, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=internal

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: internal
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
              

BemsASA# packet-tracer in outside tcp 2.2.2.2 3454 120.122.127.51 10000

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   120.122.127.51  255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

access-list outside_access_in extended permit object RDP any object Host_RDPAPP02_192.168.0.2
access-list outside_access_in extended permit object TCP10000 any object Host_RDPAPP02_192.168.0.2
access-list outside_access_in extended permit object TCP10000 any interface outside
access-list outside_access_in extended deny ip any any log