Having trouble configuring port forwarding on ASA 5505

Once upon a time I programmed maybe a half dozen ASA series devices for fairly simple port forwarding and VPN functions. But I just got my first 9.0-era device and I'm having a hell of a time trying to get traffic to pass correctly. I feel like I must be close, but not quite there. Any ASA-xperts that can help me figure out why traffic isn't passing coming in?

My config is this:

Result of the command: "sh config"

: Saved
: Written by enable_15 at 22:11:32.527 UTC Thu Jan 29 2015
!
ASA Version 9.0(1) 
!
hostname ciscoasa
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.15.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 209.137.50.50 255.255.255.224 
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 69.51.76.26
 name-server 69.51.76.36
 name-server 8.8.8.8
 name-server 208.67.220.220
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object service Camera10_TCP
 service tcp source eq 8089 destination eq 8089 
object service Camera10_UDP
 service udp source eq 8089 destination eq 8089 
object service Camera1_TCP
 service tcp source eq 8090 destination eq 8090 
object service Camera1_UDP
 service udp source eq 8090 destination eq 8090 
object service Camera2_TCP
 service tcp source eq 8081 destination eq 8081 
object service Camera2_UDP
 service udp source eq 8081 destination eq 8081 
object service Camera3_TCP
 service tcp source eq 8082 destination eq 8082 
object service Camera3_UDP
 service udp source eq 8082 destination eq 8082 
object service Camera4_TCP
 service tcp source eq 8083 destination eq 8083 
object service Camera4_UDP
 service udp source eq 8083 destination eq 8083 
object service Camera5_TCP
 service tcp source eq 8084 destination eq 8084 
object service Camera5_UDP
 service udp source eq 8084 destination eq 8084 
object service Camera6_TCP
 service tcp source eq 8085 destination eq 8085 
object service Camera6_UDP
 service udp source eq 8085 destination eq 8085 
object service Camera7_TCP
 service tcp source eq 8086 destination eq 8086 
object service Camera7_UDP
 service udp source eq 8086 destination eq 8086 
object service Camera8_TCP
 service tcp source eq 8087 destination eq 8087 
object service Camera8_UDP
 service udp source eq 8087 destination eq 8087 
object service Camera9_TCP
 service tcp source eq 8088 destination eq 8088 
object service Camera9_UDP
 service udp source eq 8088 destination eq 8088 
object service Crestron_TCP
 service tcp source range 41781 41795 destination range 41781 41795 
object service Crestron_UDP
 service udp source range 41781 41795 destination range 41781 41795 
object service NVR_22608_TCP
 service tcp source eq 22608 destination eq 22608 
object service NVR_22608_UDP
 service udp source eq 22608 destination eq 22608 
object service NVR_22609_TCP
 service tcp source eq 22609 destination eq 22609 
object service NVR_22609_UDP
 service udp source eq 22609 destination eq 22609 
object service Company_Web_TCP
 service tcp destination eq 987 
object service Terminal_Services
 service tcp destination eq 3389 
object service SMTP
 service tcp source eq smtp destination eq smtp 
 description SMTP
object network SBS_Server
 host 192.168.1.10
object network SBS_Server_3389_TCP
 host 192.168.15.10
object network SBS_Server_25_TCP
 host 192.168.15.10
object network SBS_Server_443_TCP
 host 192.168.15.10
object network SBS_Server_80_TCP
 host 192.168.15.10
object network NVR
 host 192.168.15.250
object network Camera1
 host 192.168.15.180
object network Camera10
 host 192.168.15.189
object network Camera2
 host 192.168.15.181
object network Camera3
 host 192.168.15.182
object network Camera4
 host 192.168.15.183
object network Camera5
 host 192.168.15.184
object network Camera6
 host 192.168.15.185
object network Camera7
 host 192.168.15.186
object network Camera8
 host 192.168.15.187
object network Camera9
 host 192.168.15.188
object network Crestron
 host 192.168.15.100
object network SBS_Server_987_TCP
 host 192.168.15.10
object network Camera1_8090_TCP
 host 192.168.15.180
object network Camera1_8090_UDP
 host 192.168.15.180
object network Camera2_8081_TCP
 host 192.168.15.181
object network Camera2_8081_UDP
 host 192.168.15.181
object network Camera3_8082_TCP
 host 192.168.15.182
object network Camera3_8082_UDP
 host 192.168.15.182
object network Camera4_8083_TCP
 host 192.168.15.183
object network Camera4_8083_UDP
 host 192.168.15.183
object network Camera5_8084_TCP
 host 192.168.15.184
object network Camera5_8084_UDP
 host 192.168.15.184
object network Camera6_8085_TCP
 host 192.168.15.185
object network Camera6_8085_UDP
 host 192.168.15.185
object network Camera7_8086_UDP
 host 192.168.15.186
object network Camera7_8086_TCP
 host 192.168.15.186
object network Camera8_8087_TCP
 host 192.168.15.187
object network Camera8_8087_UDP
 host 192.168.15.187
object network Camera9_8088_UDP
 host 192.168.15.188
object network Camera9_8088_TCP
 host 192.168.15.188
object network Camera10_8089_TCP
 host 192.168.15.189
object network Camera10_8089_UDP
 host 192.168.15.189
object network NVR_TCP_22608
 host 192.168.15.250
object network NVR_TCP_22609
 host 192.168.15.250
object network NVR_UDP_22609
 host 192.168.15.250
object network NVR_UDP_22608
 host 192.168.15.250
object network Crestron_Pro_TCP
 host 192.168.15.100
object network Crestron_Pro_UDP
 host 192.168.15.100
object-group service Camera10_Services
 service-object object Camera10_TCP 
 service-object object Camera10_UDP 
object-group service Camera1_Services
 service-object object Camera1_TCP 
 service-object object Camera1_UDP 
object-group service Camera2_Services
 service-object object Camera2_TCP 
 service-object object Camera2_UDP 
object-group service Camera3_Services
 service-object object Camera3_TCP 
 service-object object Camera3_UDP 
object-group service Camera4_Services
 service-object object Camera4_TCP 
 service-object object Camera4_UDP 
object-group service Camera5_Services
 service-object object Camera5_TCP 
 service-object object Camera5_UDP 
object-group service Camera6_Services
 service-object object Camera6_TCP 
 service-object object Camera6_UDP 
object-group service Camera7_Services
 service-object object Camera7_TCP 
 service-object object Camera7_UDP 
object-group service Camera8_Services
 service-object object Camera8_TCP 
 service-object object Camera8_UDP 
object-group service Camera9_Services
 service-object object Camera9_TCP 
 service-object object Camera9_UDP 
object-group service Crestron_Services
 service-object object Crestron_TCP 
 service-object object Crestron_UDP 
object-group service NVR_Services
 service-object object NVR_22608_TCP 
 service-object object NVR_22608_UDP 
 service-object object NVR_22609_TCP 
 service-object object NVR_22609_UDP 
object-group service SBS_Server_Services
 service-object object Company_Web_TCP 
 service-object object Terminal_Services 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq smtp 
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq www 
access-list outside_access_in_1 extended permit tcp object SBS_Server any eq smtp 
access-list SBS_Server_3389_TCP_In extended permit tcp any host 192.168.15.10 eq 3389 
access-list SBS_Server_25_TCP_In extended permit tcp any host 192.168.15.10 eq smtp 
access-list SBS_Server_443_TCP_In extended permit tcp any host 192.168.15.10 eq https 
access-list SBS_Server_80_TCP_In extended permit object-group SBS_Server_Services any object SBS_Server 
access-list SBS_Server_80_TCP_In extended permit object-group NVR_Services any object NVR 
access-list SBS_Server_80_TCP_In extended permit object-group Camera1_Services any object Camera1 
access-list SBS_Server_80_TCP_In extended permit object-group Camera2_Services any object Camera2 
access-list SBS_Server_80_TCP_In extended permit object-group Camera3_Services any object Camera3 
access-list SBS_Server_80_TCP_In extended permit object-group Camera4_Services any object Camera4 
access-list SBS_Server_80_TCP_In extended permit object-group Camera5_Services any object Camera5 
access-list SBS_Server_80_TCP_In extended permit object-group Camera6_Services any object Camera6 
access-list SBS_Server_80_TCP_In extended permit object-group Camera7_Services any object Camera7 
access-list SBS_Server_80_TCP_In extended permit object-group Camera8_Services any object Camera8 
access-list SBS_Server_80_TCP_In extended permit object-group Camera9_Services any object Camera9 
access-list SBS_Server_80_TCP_In extended permit object-group Camera10_Services any object Camera10 
access-list SBS_Server_80_TCP_In extended permit object-group Crestron_Services any object Crestron 
access-list SBS_Server_80_TCP_In extended permit tcp any host 192.168.15.10 eq www 
access-list SBS_Server_3389_In extended permit tcp any host 192.168.15.10 eq 3389 
access-list SBS_Server_987_In extended permit tcp any host 192.168.15.10 eq 987 
access-list Camera1_8090_TCP_In extended permit tcp any host 192.168.15.180 eq 8090 
access-list Camera1_8090_UDP_In extended permit udp any host 192.168.15.180 eq 8090 
access-list Camera2_8081_TCP_In extended permit tcp any host 192.168.15.181 eq 8081 
access-list Camera2_8081_UDP_In extended permit udp any host 192.168.15.181 eq 8081 
access-list Camera3_8082_TCP_In extended permit tcp any host 192.168.15.182 eq 8082 
access-list Camera3_8082_UDP_In extended permit udp any host 192.168.15.182 eq 8082 
access-list Camera4_8083_TCP_In extended permit udp any host 192.168.15.183 eq 8083 
access-list Camera4_8083_UDP_In extended permit udp any host 192.168.15.183 eq 8083 
access-list Camera5_8084_TCP_In extended permit tcp any host 192.168.15.184 eq 8084 
access-list Camera5_8084_UDP_In extended permit udp any host 192.168.15.184 eq 8084 
access-list Camera6_8085_TCP_In extended permit tcp any host 192.168.15.185 eq 8085 
access-list Camera6_8085_UDP_In extended permit udp any host 192.168.15.185 eq 8085 
access-list Camera7_8086_UDP_In extended permit udp any host 192.168.15.186 eq 8086 
access-list Camera7_8086_TCP_In extended permit tcp any host 192.168.15.186 eq 8086 
access-list Camera8_8087_TCP_In extended permit tcp any host 192.168.15.187 eq 8087 
access-list Camera8_8087_UDP_In extended permit udp any host 192.168.15.187 eq 8087 
access-list Camera9_8088_UDP_In extended permit udp any host 192.168.15.188 eq 8088 
access-list Camera9_8088_TCP_In extended permit tcp any host 192.168.15.188 eq 8088 
access-list SBS_Server_987_TCP_In extended permit tcp any host 192.168.15.10 eq 987 
access-list Camera10_8089_TCP_In extended permit tcp any host 192.168.15.189 eq 8089 
access-list Camera10_8089_UDP_In extended permit udp any host 192.168.15.189 eq 8089 
access-list NVR_TCP_22608_In extended permit tcp any host 192.168.15.250 eq 22608 
access-list NVR_TCP_22609_In extended permit tcp any host 192.168.15.250 eq 22609 
access-list NVR_UDP_22609_In extended permit udp any host 192.168.15.250 eq 22609 
access-list NVR_UDP_22608_In extended permit udp any host 192.168.15.250 eq 22608 
access-list Crestron_Pro_TCP_In extended permit tcp any host 192.168.15.100 range 41781 41795 
access-list Crestron_Pro_UDP_In extended permit udp any host 192.168.15.100 range 41781 41795 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static interface Crestron_Pro_TCP service Crestron_TCP Crestron_TCP
nat (inside,outside) source static any any destination static interface Crestron_Pro_UDP service Crestron_UDP Crestron_UDP
!
object network SBS_Server_3389_TCP
 nat (inside,outside) static interface service tcp 3389 3389 
object network SBS_Server_25_TCP
 nat (inside,outside) static interface service tcp smtp smtp 
object network SBS_Server_443_TCP
 nat (inside,outside) static interface service tcp https https 
object network SBS_Server_80_TCP
 nat (inside,outside) static interface service tcp www www 
object network SBS_Server_987_TCP
 nat (inside,outside) static interface service tcp 987 987 
object network Camera1_8090_TCP
 nat (inside,outside) static interface service tcp 8090 8090 
object network Camera1_8090_UDP
 nat (inside,outside) static interface service udp 8090 8090 
object network Camera2_8081_TCP
 nat (inside,outside) static interface service tcp 8081 8081 
object network Camera2_8081_UDP
 nat (inside,outside) static interface service udp 8081 8081 
object network Camera3_8082_TCP
 nat (inside,outside) static interface service tcp 8082 8082 
object network Camera3_8082_UDP
 nat (inside,outside) static interface service udp 8082 8082 
object network Camera4_8083_TCP
 nat (inside,outside) static interface service tcp 8083 8083 
object network Camera4_8083_UDP
 nat (inside,outside) static interface service udp 8083 8083 
object network Camera5_8084_TCP
 nat (inside,outside) static interface service tcp 8084 8084 
object network Camera5_8084_UDP
 nat (inside,outside) static interface service udp 8084 8084 
object network Camera6_8085_TCP
 nat (inside,outside) static interface service tcp 8085 8085 
object network Camera6_8085_UDP
 nat (inside,outside) static interface service udp 8085 8085 
object network Camera7_8086_UDP
 nat (inside,outside) static interface service udp 8086 8086 
object network Camera7_8086_TCP
 nat (inside,outside) static interface service tcp 8086 8086 
object network Camera8_8087_TCP
 nat (inside,outside) static interface service tcp 8087 8087 
object network Camera8_8087_UDP
 nat (inside,outside) static interface service udp 8087 8087 
object network Camera9_8088_UDP
 nat (inside,outside) static interface service udp 8088 8088 
object network Camera9_8088_TCP
 nat (inside,outside) static interface service tcp 8088 8088 
object network Camera10_8089_TCP
 nat (inside,outside) static interface service tcp 8089 8089 
object network Camera10_8089_UDP
 nat (inside,outside) static interface service udp 8089 8089 
object network NVR_TCP_22608
 nat (inside,outside) static interface service tcp 22608 22608 
object network NVR_TCP_22609
 nat (inside,outside) static interface service tcp 22609 22609 
object network NVR_UDP_22609
 nat (inside,outside) static interface service udp 22609 22609 
object network NVR_UDP_22608
 nat (inside,outside) static interface service udp 22608 22608 
!
nat (inside,outside) after-auto source dynamic any interface
access-group Crestron_Pro_UDP_In in interface outside
route outside 0.0.0.0 0.0.0.0 209.137.240.30 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.15.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection scanning-threat shun duration 300
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:49cadc4a728baa9cc9d4ac15187ea411

Open in new window

LVL 1
ssittigAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ffleismaSenior Network EngineerCommented:
You NAT configuration seems fine, but your ACL configuration from the "outside" interface needs work.
access-list Crestron_Pro_TCP_In extended permit tcp any host 192.168.15.100 range 41781 41795 
access-list Crestron_Pro_UDP_In extended permit udp any host 192.168.15.100 range 41781 41795
!
access-group Crestron_Pro_UDP_In in interface outside

Open in new window

I would rather just name the ACL a default name which is more descriptive of its purpose "outside_access_in"
You've created multiple named ACL:
access-list SBS_Server_80_TCP_In
access-list Camera1_8090_TCP_In
access-list Crestron_Pro_UDP_In
etc..
but you can only apply one on the interface, hence only "Crestron_Pro_UDP_In" was being allowed.
Below is the correct application of the access control list (ACL) to your outside interface. 
!access-list outside_access_in extended permit tcp any host 192.168.1.10 eq www 
!access-list outside_access_in_1 extended permit tcp object SBS_Server any eq smtp 
!
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq 3389 
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq smtp 
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq https 
access-list outside_access_in extended permit object-group SBS_Server_Services any object SBS_Server 
access-list outside_access_in extended permit object-group NVR_Services any object NVR 
access-list outside_access_in extended permit object-group Camera1_Services any object Camera1 
access-list outside_access_in extended permit object-group Camera2_Services any object Camera2 
access-list outside_access_in extended permit object-group Camera3_Services any object Camera3 
access-list outside_access_in extended permit object-group Camera4_Services any object Camera4 
access-list outside_access_in extended permit object-group Camera5_Services any object Camera5 
access-list outside_access_in extended permit object-group Camera6_Services any object Camera6 
access-list outside_access_in extended permit object-group Camera7_Services any object Camera7 
access-list outside_access_in extended permit object-group Camera8_Services any object Camera8 
access-list outside_access_in extended permit object-group Camera9_Services any object Camera9 
access-list outside_access_in extended permit object-group Camera10_Services any object Camera10 
access-list outside_access_in extended permit object-group Crestron_Services any object Crestron 
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq www 
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq 3389 
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq 987 
access-list outside_access_in extended permit tcp any host 192.168.15.180 eq 8090 
access-list outside_access_in extended permit udp any host 192.168.15.180 eq 8090 
access-list outside_access_in extended permit tcp any host 192.168.15.181 eq 8081 
access-list outside_access_in extended permit udp any host 192.168.15.181 eq 8081 
access-list outside_access_in extended permit tcp any host 192.168.15.182 eq 8082 
access-list outside_access_in extended permit udp any host 192.168.15.182 eq 8082 
access-list outside_access_in extended permit udp any host 192.168.15.183 eq 8083 
access-list outside_access_in extended permit udp any host 192.168.15.183 eq 8083 
access-list outside_access_in extended permit tcp any host 192.168.15.184 eq 8084 
access-list outside_access_in extended permit udp any host 192.168.15.184 eq 8084 
access-list outside_access_in extended permit tcp any host 192.168.15.185 eq 8085 
access-list outside_access_in extended permit udp any host 192.168.15.185 eq 8085 
access-list outside_access_in extended permit udp any host 192.168.15.186 eq 8086 
access-list outside_access_in extended permit tcp any host 192.168.15.186 eq 8086 
access-list outside_access_in extended permit tcp any host 192.168.15.187 eq 8087 
access-list outside_access_in extended permit udp any host 192.168.15.187 eq 8087 
access-list outside_access_in extended permit udp any host 192.168.15.188 eq 8088 
access-list outside_access_in extended permit tcp any host 192.168.15.188 eq 8088 
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq 987 
access-list outside_access_in extended permit tcp any host 192.168.15.189 eq 8089 
access-list outside_access_in extended permit udp any host 192.168.15.189 eq 8089 
access-list outside_access_in extended permit tcp any host 192.168.15.250 eq 22608 
access-list outside_access_in extended permit tcp any host 192.168.15.250 eq 22609 
access-list outside_access_in extended permit udp any host 192.168.15.250 eq 22609 
access-list outside_access_in extended permit udp any host 192.168.15.250 eq 22608 
access-list outside_access_in extended permit tcp any host 192.168.15.100 range 41781 41795 
access-list outside_access_in extended permit udp any host 192.168.15.100 range 41781 41795 
!
access-group outside_access_in in interface outside

Open in new window

Not sure what is Line1 for as it pertains to 192.168.1.10 but your network is 192.168.15.x/24
Not sure what is Line2 for, are you trying to allow the SBS_Server access to internet via smtp with this line? This is not needed as you don't have any ACL applied to your inside interface, all traffic coming from inside going out a lower security interface (outside) are allowed by default.
I've assumed the ACL with source: any, you are pertaining to incoming traffic from the internet.

Also, noticed this odd looking NAT statement
nat (inside,outside) source static any any destination static interface Crestron_Pro_TCP service Crestron_TCP Crestron_TCP
nat (inside,outside) source static any any destination static interface Crestron_Pro_UDP service Crestron_UDP Crestron_UDP

Open in new window

This basically means, NAT source from any to any (have the source IP stay the same) and NAT destination interface (outside) --> Crestron_Pro
Not sure what you are going for with this statement
Hopefully this helps, if you have any further questions I'll be glad to help out!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.