The goal is to forward two different ports 1195 and 1196 from the outside address of the ASA to two different hosts on the inside but on the same port.
These are the addresses used in this example:
- ASA.Internet 192.168.1.99/24
- ASA.DMZ 172.16.0.1/24
Here is the relevant part of the config for one inside host:
object network VPN2
host 172.16.0.66
nat (DMZ,Internet) static interface service udp 1194 1195
object service VPN
service udp destination eq 1194
access-list Internet_access_in_1 extended permit object VPN any object VPN2
access-list Internet_access_in_1 extended deny ip any any
The questions are:
- What is the correct way to use packet tracer in this case?
- What is the correct destination port to use in the ACL in this case?
Experiments:
Using packet-tracer input internet udp 8.8.8.8 1234 172.16.0.66 1194 (inside IP/port) I get
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network VPN2
nat (DMZ,Internet) static interface service udp 1194 1195
Additional Information:
Using packet-tracer input internet udp 8.8.8.8 1234 192.168.1.99 1195 (outside IP/port) I obviously get
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
In any case, packets are currently hitting the firewall on the Internet(outside) interface on udp port 1195 but they aren't seen inside. show nat detail:
(DMZ) to (Internet) source static VPN2 interface service udp 1194 1195
translate_hits = 0, untranslate_hits = 0
Source - Origin: 172.16.0.66/32, Translated: 192.168.1.99/24
Service - Protocol: udp Real: 1194 Mapped: 1195
Now what is making me crazy in addition, if I add port 1195 to the access list, the following invocation of packet tracer accepts the traffic:
packet-tracer input internet tcp 8.8.8.8 1234 172.16.0.66 1195
That's the inside IP but the outside port? WT…?
Best Answer
There was a manual Dynamic PAT (Hide) to any in NAT section 1. I moved it to after-auto (section 3) and all is good...