How do I configure a simple port forward using the ASDM on the ASA 5510?

My goal is extremely simple.  I am trying to configure a port forward on a Cisco ASA 5510.  I have been told to save myself some headache to use the ASDM on this device.  I am running ASDM v5.1 with an ASA 5510 v7.1(2).  I have run through the initial configuration wizard which suggested PAT (as we only have one public IP).  I need to forward port 3389 TCP (RDP) to an internal server.  For example we will use public IP 5.5.5.5 and internal IP 192.168.1.10.  I have read other posts which explain that not only do we need an ACL configured, but an additional NAT Policy.  I have tried it numerous ways and just can't seem to get it to float...any help is appreciated!
LVL 2
toddjusticeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ryansotoCommented:
static (inside,outside) tcp interface 3389 192.168.1.X 3389 netmask 255.255.255.255 0 0
access-list XXX permit tcp any host externalipaddress eq 3389

Of course change the values to your needs.  I believe this should fix you up

toddjusticeAuthor Commented:
Can this be done through the ASDM? - I would really like to understand the ASDM.
ryansotoCommented:
Honestly most hard core cisco gurus will tell you if you need it to be done right use the command line.  The ADM doesnt always write the correct command and things get fouled up.  I had that happen and from then on I learned the command line.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

batry_boyCommented:
Go to Configuration - NAT.  Click the "Add" button and choose "Add Static NAT rule".  Put in the following information in the various fields:

Under "Real Address"
Interface : inside
IP Address : 192.168.1.10
Netmask : 255.255.255.255

Under "Static Translation"
Interface : outside
IP Address : <click on the drop down arrow pick list and choose (interface IP)>

Check the box named "Enable Port Address Translation (PAT)"
Protocol : TCP
Original Port : 3389
Translated Port : 3389

Click "OK"

Now, do the above procedure again, filling in all fields with the same info, except choose "UDP" for the protocol when modifying the PAT configuration.

Next, you need to allow the traffic you just specified in your port forwarding rules.  Here's how:

Go to Configuration - Security Policy.  Click "Add".

Under "Interface and Action"
Interface : outside
Direction : incoming
Action : permit

Under "Source"
Type : any

Under "Destination"
Type : <click on the drop down arrow pick list and choose (interface IP)>
Interface : outside

Under "Protocol and Service"
Protocol : tcp

Under "Source Port", leave all defaults

Under "Destination Port"
Leave "Service" radio button enabled, and where it says "any", type over this and put in 3389

Click "OK".

Click "Apply".

That should do it.  That will port forward any traffic received on the outside interface on destination port TCP 3389 and forward it to port TCP 3389 on internal host 192.168.1.10 from any Internet host.
toddjusticeAuthor Commented:
Ryansoto: I agree, every other piece of Cisco equipment I have ever worked on I have used the CLI.  I would just like to understand more about the ASDM...

Batry_Boy: I had alread read that solution in another post, but my ASDM doesn show most of the fields that you were referencing.  I don't see a field for "Real Address" or "Enable PAT".  Also, under my Security Policy Screen If I choose the Outside Interface as the destination it errors out stating that the destination interface can't be the same as the Source Interface.
batry_boyCommented:
OK...I retyped the instructions for your ASDM version...boy, I forgot how much Cisco changed the interface from that older ASDM version to the current one!  Hope this helps...

Go to Configuration - NAT.  Click the "Add" button.

Leave the selection at "Use NAT" at the top.

Put in the following information in the various fields:

Under "Source Host/Network"
Interface : inside
IP Address : 192.168.1.10
Netmask : 255.255.255.255

Translate Address on Interface : outside

Under "Translate Address To"
Choose "static"
IP Address : <click on the drop down arrow pick list and choose (interface IP)>

Check the box named "Redirect port"
Protocol : TCP
Original Port : 3389
Translated Port : 3389

Click "OK"

Click "Apply"

Next, you need to allow the traffic you just specified in your port forwarding rules.  Here's how:

Go to Configuration - Security Policy.  Click "Add".

Under "Action"
Select an action: permit
Apply to traffic : incoming to src interface

Under "Source Host/Network"
Choose "IP Address"
IP Address : 0.0.0.0
Mask : 0.0.0.0

Under "Destination Host/Network"
Choose "IP Address"
IP Address : <click the ellipses button "..." and select the outside interface IP address from the list>
Mask : 255.255.255.255

Under "Protocol and Service"
Protocol : tcp

Under "Source Port", leave all defaults

Under "Destination Port"
Leave "Service" radio button enabled, and where it says "any", type over this and put in 3389

Click "OK".

Click "Apply".

That should do it.  That will port forward any traffic received on the outside interface on destination port TCP 3389 and forward it to port TCP 3389 on internal host 192.168.1.10 from any Internet host.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
toddjusticeAuthor Commented:
Awesome - I will try this in the morning and let you know...
toddjusticeAuthor Commented:
That worked - the only thing that was different that may help someone else is that under the Security Policy window, under the source section I had to choose "Outside" with 0.0.0.0 0.0.0.0 and the Destination I had to choose "Inside" with the Public IP/255.255.255.255.

Thanks a bunch!
toddjusticeAuthor Commented:
Thanks again!
pflechaCommented:
Can you open traffic for a port to come into your entire network?  (i.e. I need to allow port 5060 to come into my netowrk for all my users)
batry_boyCommented:
You can, but you would need to provide NAT for your entire inside network to public addresses...that would be a lot of public addresses if you have a large internal network.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.