I have a Cisco ASA 5520 with a DMZ and an inside interface. The security policy is setup to permit IP ANY from host on DMZ to host on inside. The host on the DMZ is initiating communication on UDP port 2114 which is a challenge response authentication. The ASA does not log it in any of the syslogs or log buffer even under debugging and it drops it. With a CLI capture I see the packet on the DMZ interface but never go out the internal interface. NAT is correctly setup and verified.
If I do a Packet Trace CLI or ASDM, for one host to the other on UDP port 2114 it only shows FLOW-Lookup, says it is using existing FLOW with ID (number). It then gives an end result with ? marks for the exit interface. If I change this to another port it works fine and properly shows access list and route lookup. It can obviously route.
I have an open TAC case but I'm wondering if anyone else has ever seen this issue. A reboot of the ASA didn't help it simply changed the FLOW-LOOKUP number.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...