Sorry about that; I forgot to post the NAT config.

global (outside) 1 interface

nat (inside) 1 access-list aclDAVE-SERVER

nat (inside) 1 0.0.0.0 0.0.0.0

192.168.69.100 is a Linux server on the inside that will be receiving the connection on TCP port 51088

74.125.224.34 is the current outside DHCP address (let me know if there is some voodoo to use that dynamically rather than looking it up and specifying the IP)

I was originally trying to do this with object-groups in the ACL but when it wasn't working I removed them from the equation, at least until I figure out what I did wrong.

Thanks for the help!

Hi Jeremy ,

Drop-reason: (acl-drop) Flow is denied by configured rule

The issue is the access-list applied on the outside.

access-list aclDAVE-SERVER extended permit tcp any eq 51088 host 192.168.69.100 eq 51088

it should be

access-list aclDAVE-SERVER extended permit tcp any eq 51088 host 74.125.224.34 eq 51088

Also in order to have connections initiated from outside you should configure a static nat

static (inside,outside) tcp interface 51088 192.168.69.100 51088

Dan

Ah, I see.  On incoming packets the destination will not be the inside address, so the destination should be the outside address in the ACL.

I corrected the ACL and added the Static NAT, but unfortunately it's still not letting it through.  I tried both before and after removing the Policy NAT statement referencing the ACL, but the packet-trace results were the same either way.

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255

access-list aclDAVE-SERVER extended permit tcp any eq 51088 host 74.125.224.34 eq 51088

access-group aclDAVE-SERVER in interface outside

Because the outside is on DHCP I also tried this access-list which would be better for me, but it didn't work either:

access-list aclDAVE-SERVER extended permit tcp any eq 51088 interface outside eq 51088

I even went so far as to replace the bold with any and still could not get through.

Hi Jeremy ,

If the IP of the outside is via DHCP , there is no static dhcp pool , it is better to use any as destination.

But you will have to know when the IP changes in order to access the application

Do you have inspection enabled ?  > show service-policy

What kind of application is this  TCP 51088 ?

Dan

Thanks Dan,

A DynDNS account is being maintained to keep track of the dynamic IP so no worries there.  TCP 51088 is being used for SSH, because, well, it's Dave's server and that's the port he wants to use

show service-policy returned nothing so it looks good there.

All I can think is that I need to do something different with NAT because it shows outside as both the input and output interfaces in the packet-trace.

Hi Jeremy,

The problem is the nat. Please changed as below :

no static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255

static (inside,outside) tcp 74.125.224.34 51088 192.168.69.100 51088 netmask 255.255.255.255

Also the access-list :

access-list aclDAVE-SERVER extended permit tcp any eq 51088 host 74.125.224.34 eq 51088

should not have as a source port 51088.

Let's see how it goes.

Dan

Dang, it didn't like that either.

static (inside,outside) tcp 72.193.250.115 51088 192.168.69.100 51088 netmask 255.255.255.255

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

So I tried this:

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255

access-list aclDAVE-SERVER extended permit tcp any any eq 51088

Same packet-trace result.

UPDATE: I tweaked things a bit and have a tiny bit of progress.  It's at least trying to use the inside interface as the output interface now.

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 192.168.69.100 51088 access-list aclDAVE-SERVER

access-list aclDAVE-SERVER extended permit tcp any eq 51088 host 192.168.69.100 eq 51088

access-group aclDAVE-SERVER in interface outside

asa5505(config)# show nat

NAT policies on Interface inside:

  match tcp inside any eq 51088 outside host 192.168.69.100 eq 51088

    static translation to 192.168.69.100/51088

    translate_hits = 0, untranslate_hits = 4

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip inside any outside any

    dynamic translation to pool 1 (72.193.250.115 [Interface PAT])

    translate_hits = 84146, untranslate_hits = 127669

  match ip inside any _internal_loopback any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

asa5505(config)# packet-trace input outside tcp 8.8.8.8 51088 72.193.250.115 51088 detailed

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp 192.168.69.100 51088 access-list aclDAVE-SERVER

  match tcp inside any eq 51088 outside host 192.168.69.100 eq 51088

    static translation to 192.168.69.100/51088

    translate_hits = 0, untranslate_hits = 7

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.69.100/51088 to 0.0.0.0/51088 using netmask 0.0.0.0

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   72.193.250.115  255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc95e6108, priority=0, domain=permit, deny=true

        hits=14678, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Message was edited by: Jeremy Camera

*in my best "Borat" voice*: GREAT SUCCESS!

That last one did the trick perfectly.  Marking your post as the correct answer.  Thanks so much for all of your time and patience with me Dan, I really appreciate it!

It's almost 3 PM here and I still haven't grabbed lunch yet so my eyes are crossing. I'll have to review everything we tried so I can figure out all the different things I did wrong, but that will come with time.

Just for the sake of contrast against the failed packet-trace, here is what a successful one looks like:

packet-trace input outside tcp 8.8.8.8 51088 72.193.250.115 51088

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255

  match tcp inside host 192.168.69.100 eq 51088 outside any

    static translation to 72.193.250.115/51088

    translate_hits = 0, untranslate_hits = 1

Additional Information:

NAT divert to egress interface inside

Untranslate 72.193.250.115/51088 to 192.168.69.100/51088 using netmask 255.255.255.255

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acl-outside in interface outside

access-list acl-outside extended permit tcp any any eq 51088

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255

  match tcp inside host 192.168.69.100 eq 51088 outside any

    static translation to 72.193.250.115/51088

    translate_hits = 0, untranslate_hits = 1

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255

  match tcp inside host 192.168.69.100 eq 51088 outside any

    static translation to 72.193.250.115/51088

    translate_hits = 0, untranslate_hits = 1

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 5577, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

No problem Jeremy. I'm glad that everything is ok, now.

Dan