ASA 5510 NAT and ACL Issues again

I really don't know what I messed up, but as soon as I get this fixed I will backup my config again.

I am trying to setup a STATIC NAT from a public IP to the internal of 1 particular server and then allow 3389 (RDP) traffic from any outside source to this internal server.

I have the following:

access-list Outside_access_in extended permit tcp any host eq 3389
static (Inside,Outside) tcp 70.150.***.*** 3389 3389 netmask

So far, this is the only Static NAT I am trying to configure. This Public IP will be used just for this server, so I am not sharing a single Outside IP with the internal servers.

I have read about the need to BIND the Outside_access_in to an access-group to the Outside interface, but the commands will not work. Am I just missing this entry so it knows which interface to apply the ACLs to?

I see the following in the Syslog when I try to connect to RDP from Outside:

Inbound TCP Connection denied from X.X.X.X/1806 to 70.150.X.X/3389 flags SYN on interace Outside

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

miconisAuthor Commented:

ASA Version 8.0(3)
hostname WZ-ASA1
domain-name XX.XXX
enable password IrroukDoy2z16aXo encrypted
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 70.150.XX.XXX
interface Ethernet0/1
 nameif Inside
 security-level 99
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd IrroukDoy2z16aXo encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name XX.XXX
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit icmp 10
access-list Outside_access_in extended permit tcp any host eq 3389
access-list management_nat0_outbound extended permit ip 255.255.240.
access-list Outside_1_cryptomap extended permit ip 10.
access-list Inside_nat0_outbound extended permit ip 10
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location management
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10
nat (management) 0 access-list management_nat0_outbound
static (Inside,Outside) tcp 70.150.XX.XXX 3389 3389 netmask 255.255
route Outside 70.150.XX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Outside
http management
http Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 70.150.XX.XXX
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400
telnet Inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
tunnel-group 70.150.XX.XXX type ipsec-l2l
tunnel-group 70.150.XX.XXX ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
the access rule needs to allow access to the public address. 70.150.x.x.  Try adding this rule:

access-list Outside_access_in extended permit tcp any host 70.150.XX.XXX eq 3389
miconisAuthor Commented:
Hmmm. that didnt work.

Still seeing the following in the Syslog when I try to connect to RDP from Outside:

Inbound TCP Connection denied from X.X.X.X/1806 to 70.150.X.X/3389 flags SYN on interace Outside
since you are using the ASA, you should be able to use the packet trace feature from the GUI interface that will tell you exactly why the packet is being dropped.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
What was the solution ?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.