Good afternoon,

I have a single ASA 5505, IOS 8.4, and I am trying to forward RDP traffic to an internal server. This is a very simple setup with no prior access-lists, VPNs, or anything else. The only extra configuration is a Guest VLAN, with security 50.

Here's the configuration that I have:

________________________________________________

interface Vlan1
nameif inside
security-level 100
ip address 10.72.132.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 76.79.X.X 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif Guest
security-level 50
ip address 172.16.254.1 255.255.255.0

!

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3

!

object network Fileserver
host 10.72.132.7
!

access-list OutsideToIn extended permit tcp any host 10.72.132.7 eq 3389

!

nat (inside,outside) source dynamic any interface
nat (Guest,outside) source dynamic any interface
!
object network obj_any
nat (inside,outside) dynamic interface
object network Fileserver
nat (inside,outside) static interface service tcp 3389 3389
access-group OutsideToIn in interface outside

________________________________________________

When I do a show access-list, it shows no hits.

When I run packet tracer, I get this:

______________________________________________

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.72.132.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OutsideToIn in interface outside
access-list OutsideToIn extended permit tcp any host 10.72.132.7 eq 3389
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcaa00ad0, priority=13, domain=permit, deny=false
        hits=0, user_data=0xc8edc7b0, cs_id=0x0, use_real_addr, flags=0x0, proto                                                             col=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=10.72.132.7, mask=255.255.255.255, port=3389, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcac55ef8, priority=0, domain=inspect-ip-options, deny=true
        hits=137627, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcac59058, priority=0, domain=host-limit, deny=false
        hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcac87e78, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xcac873b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

______________________________________________

This clearly shows that it's a NAT issue, but I'm not exactly sure what modifications I need to make. Any ideas?

Thank you.