I wanted to quickly create a firewall port forward (AKA NAT rule) for the Terminal Services port on a Cisco ASA 5505. Since it had initially been setup using ASDM, it seemed natural to also create the port forward this way.
Unfortunately, my first few attempts didn’t work. Some searching only turned up examples using an older method that no longer works with newer software. In the end, I think the mistake I was making was in the very first step — the originating interface should be inside, not the outside interface. Here’s the exact steps I took to create this.
Create NAT Rule
- Click Configuration (top)
- Click Firewall (bottom-left)
- Click NAT Rules (middle-left)
- Select Add->Static NAT Rule
- Original
- Interface: inside
- Source: 192.168.0.99
- Translated
- Interface: Outside
- Select Use Interface IP Address
- Port Address Translation (PAT)
- Check Enable Port Address Translation (PAT)
- Protocol: TCP
- Original Port: 3389
- Translated Port: 3389
- Click OK
Create Access Rule
- Click Access Rules
- Select Add->Add Access Rule
- Interface: outside
- Action: Permit
- Source: any
- Destination: 111.111.111.111 <- the address of your WAN interface
- Service: tcp/3389
- Enable Logging: unchecked