Cisco ASA 5505 Remote Desktop setup on Port 3389

I would like to setup a Cisco ASA 5505 to allow access to a Terminal Server.
The firewall is connected to the internet and the terminal server is connected and has access to the internet.
I have confirmed that the firewall is receiving packets on port 3389.
My terminal Server is accepting connections and working from inside the network.  
I am running ASA Version 8.4(2) on the firewall.
My Inside interface is
My Outside interface is
My Terminal Server is

I believe I need to first create an Access Rule
Then create a NAT entry to port forward to the Terminal server.

I can use either the gui or the command line entry (within the gui) to configure the firewall.
Many thanks for any help.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You are correct.  Easiest way is use the GUI.  Is the interface an made up IP?  That generally is not a public IP.  It won't work if is you public.  create a NAT rule and access rule using. ASDM.  Here's some examples
JamistAuthor Commented:
The outside interface is not my public IP, but provided by my Internet router.

I have previously unsuccesfully followed the examples in the link above.  I am sure I am making a simple mistake, but cannot find it.

I have found command line examples that would have worked except they were written for ASA 8.2, and are not compatible with the ASA 8.4 I am running.

Ok, so there will be no NAT working there since you'ree using 2 private IP's. You need to use the ISP  router's subnet, or use a public IP address.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

use ASDM just for monitoring and packet tracing.

Use ASDM for config and you'll get nowhere.

Here is the config.

hostname(config)#object network TermServer1
hostname(config-network-object)#nat (inside,outside) static interface service tcp 3389

Open in new window

Then access lists

access-list outside_access_in extended permit tcp any host eq 3389
access-group outside_access_in in interface outside

Open in new window

JamistAuthor Commented:
I have accesed the firewall via Telnet from the inside of the network.  I have tried entering the commands in various ways and cannot get it to work,  In between each attempt I restore the firewall to a fresh install.

I do not get any error messages, just the next prompt line after entering each command.

Non of the changes are reflected anywhere when I examine the config afterwards using ASDM.

Should I be in 'configure terminal' mode for the first part, access-lists part or both?  I have tried this but again it did not work.

Thank you

JamistAuthor Commented:
correction: I can see in ASDM that Network object TermServer has been created as Host with IP
but no NAT entry has been created, I am assuming one should have been.

I have succesfully created the access lists via the command line of ASDM.  Still not working and no hits  showing for the access rule.

I am still receiving 3389 traffic to my outside interface of, they just do not appear to be going anywhere.
This kind of setup is why Cisco added the "Public Servers" feature to ASDM a few years ago. Just login to ASDM, go to Firewall -> Public Servers, click ADD, and enter the following:

Private Interface: inside
Private IP Address:
Service: tcp/3389
Public Interface: outside
Public IP Address:

SuperTaco is right, though, this won't work from the Internet as is not a PUBLIC IP address. What I'm hearing you describe as the network architecture is:

TERMSERVER ( <--> ( inside) ASA ( outside) <--> ( inside) ROUTER (x.x.x.x PUBLIC IP address) <--> Internet

You will need to some kind of port forwarding on your Internet router for this to work from the Internet.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JamistAuthor Commented:
Thank you Iwalcher, your config was virtually correct.  I had to make the following minor changes but the remote desktop connection is now working.  By using the Public Severs feature, the access list and NAT rules were created automatically.  I will now examine them and learn to create them manually using command line.

The NAT from the router was already setup, but I had to change thae translated address to in order for everything to work.

Private Interface: inside
Private IP Address:TermServer1 (ADSM only accept a network object, This net object created following earlier post, it is a host with IP of
Service: tcp/3389
Public Interface: outside
Public IP Address: (This was changed to as ADSM did not like it being the same IP as the outside interface, the router NAT was changed to point at
Cool! Glad it worked. There is a great feature in ASDM that you can use to easily see the text commands of any changes you make before committing them. It can also serve as a "poor man's configuration management" tool if you save off the changes somewhere every time you make them.

Just go to Tools->Preferences->General tab and check the box "Preview commands before sending them to the device."

Have fun!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.