I looked at your config and I'm assuming a couple of things (because this is the way that I have it set up at my house).

You have a router in front of the ASA, and you want your ASA to filter traffic that comes in from the router, so you have something like this:

Host --> ASA --> Router --> DSL --> Internet

IF I'm right, then I would suggest not natting at all. Your inside interface on the router is:

192.168.2.254 and your public interface on the ASA is 192.168.2.250.

Make sure that you can ping your router from the ASA:

ping outside 192.168.2.254

If you do that, then in your NAT configuration on the ASA:

no global (outside) 1 interface

no nat (inside) 1 0 0

You should be able to ping from an inside host out. Your route is set up correctly from the ASA.

If this ISN'T what you are needing, then yeah, you should let us know like Jon requested. :-)

Thanks,

John

Hello John,

Thanks for your reply.

I can internet from any hosts behind the inside interface of asa. The problem is:

behind the inside interface there is a terminal server. The terminal users have to log on to it from anywhere. I can not fix it out how/where i should place the translation rule.

Hopefully you can help me out.

Thanks in advance.

Peter

Try this:

static (inside,outside) interface netmask 255.255.255.255

On your public ACL:

permit tcp any interface outside eq 3389

What this does is tell the ASA to use the outside interface IP address as the public IP. In the public ACL, you're allowing anyone to come into the public IP address on port 3389 (terminal services). If you have a block of ip addresses, you can give any one of your addresses out of that block an assignment and forget about the "interface" keyword. In the following example, 9.9.9.9 is the public ip address.

static (inside,outside) 9.9.9.9 (private ip) netmask 255.255.255.255

In public ACL:

permit tcp any host 9.9.9.9 eq 3389

Once you complete this, clear your translate table for it to take effect:

clear xlate

HTH,

John

Hello John,

It's not working. I post the configuration again. Can you take a look what i did wrong?

Thanks again.

Peter

I'm not sure if this will work, but try the following:

On the router:

ip access-list ext EXTERNAL

permit tcp any any eq 3389

route-map TS permit 5

match ip address EXTERNAL

set ip next-hop 192.168.2.250

I'm not GREAT with policy maps, so I'd be interested in seeing if this works. How are you trying to get to the terminal server?

--John

I forgot to mention that you need to apply this policy map to the outside interface on your router:

int dialer0

ip policy route-map TS

exit

--John

no, it's still not working.

I use RDP to connect the terminal server.

Peter

Do you have a topology diagram or something that you can draw up quickly? Where are you in relation to the terminal server? Are you in front of the router or behind the ASA?

host -> router -> asa -> terminal server

router -> host -> asa -> terminal server

router -> asa -> host -> ts

--John

Still not working.

The terminal server is behind the asa. It looks like:

dsl->router(dialer interface, 192.168.2.254)->asa(outside[192.168.2.250],inside[192.168.1.1]->host (ts)

Peter

Where are you at in the picture? On the DSL side going into the network, or ASA side going out?

--John

The problem is on the DSL side going into the network.

By the way, inside out everything is ok.

peter

Understood. You won't be able to test this from behind the ASA. In other words, if your connected to a switch or directly to the ASA, you can't go out to the internet and back into your public interface to test it; it won't work. You'll need to do this from another computer that's completely outside of your network.

That said, can you do a sh ip nat trans on the router, and a sh xlate on the ASA and post the results back. Again, if you're trying to test it from within your network and coming back in, it won't work.

Hello John,

Thanks for all your help and time.

I got the problem resolved. I did two things wrong. The first one was the access rule in asa, the second was the translation rule in the router.

Now the asa is working. The next step is try to get the vpn working.

Thanks again.

Peter