https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872765#M28130 <P>try this<BR />!<BR />object network DVR-TEST<BR />host x.x.x.x<BR />nat (int_video,outside) static interface service tcp 443 53429<BR />!<BR />access-list outside_access_in exten permit tcp any host x.x.x.x eq 443<BR />access-group outside_access_in in interfacec outside<BR />!<BR />packet-tracer input outside tcp 8.8.8.8 12345 1.2.3.4.5 53429</P><P>where 1.2.3.4.5 is our ASA outside ip address.</P> Thu, 13 Jun 2019 23:43:40 GMT Sheraz.Salim 2019-06-13T23:43:40Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872712#M28129 <P>I know it's a very trite subject but I'm already going crazy with this issue</P><P>I am configuring a port mapping 53429 ---&gt;https, but this does not work.</P><P>https</P><P>topology: User browser PC&nbsp; port 53429 ---&gt;Outside ASA ---&gt; inside ASA ---- Device&nbsp;DVR-app&nbsp; https service</P><P>&nbsp;</P><P>I has configured the following</P><P>object network DVR-web<BR />nat (int_video,outside) static interface service tcp https 53429</P><P>&nbsp;</P><P>with the acl</P><P>access-list outside_access_in extended permit ip any object DVR-app</P><P>&nbsp;</P><P>but it is not working, any help I will thank you</P> Thu, 13 Jun 2019 21:02:00 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872712#M28129 ahuertavazquez 2019-06-13T21:02:00Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872765#M28130 <P>try this<BR />!<BR />object network DVR-TEST<BR />host x.x.x.x<BR />nat (int_video,outside) static interface service tcp 443 53429<BR />!<BR />access-list outside_access_in exten permit tcp any host x.x.x.x eq 443<BR />access-group outside_access_in in interfacec outside<BR />!<BR />packet-tracer input outside tcp 8.8.8.8 12345 1.2.3.4.5 53429</P><P>where 1.2.3.4.5 is our ASA outside ip address.</P> Thu, 13 Jun 2019 23:43:40 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872765#M28130 Sheraz.Salim 2019-06-13T23:43:40Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872767#M28131 <P>When I applyed cli command this show next message:</P><P>&nbsp;</P><P>ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded</P> Thu, 13 Jun 2019 23:53:41 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872767#M28131 ahuertavazquez 2019-06-13T23:53:41Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872770#M28132 <P>Oops, I omitted a line and that's why I showed the error,<BR />I already applied the suggested lines but the problem continues</P> Fri, 14 Jun 2019 00:02:30 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872770#M28132 ahuertavazquez 2019-06-14T00:02:30Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872772#M28133 <P>ASA-QTRO# packet-tracer input outside tcp 8.8.8.8 12345 IP_outside_ASA 53429</P><P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P><P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop IP_outside_ASA using egress ifc identity</P><P>Phase: 3<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 4<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P><P>&nbsp;</P> Fri, 14 Jun 2019 00:07:18 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872772#M28133 ahuertavazquez 2019-06-14T00:07:18Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872934#M28134 <P>share your firewall config in order to fix the issue.</P> Fri, 14 Jun 2019 08:44:13 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3872934#M28134 Sheraz.Salim 2019-06-14T08:44:13Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3873184#M28135 Sure, this is my configuration:<BR /><BR /><BR /><BR />: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)<BR />:<BR />ASA Version 9.8(3)29<BR />!<BR />hostname ASA<BR />enable password PASS<BR />names<BR />no mac-address auto<BR /><BR />!<BR />interface GigabitEthernet1/1<BR />nameif outside<BR />security-level 0<BR />ip address X.X.X.X 255.255.255.252<BR />!<BR />interface GigabitEthernet1/2<BR />nameif int_datos<BR />security-level 100<BR />ip address 192.168.29.1 255.255.255.0<BR />!<BR />interface GigabitEthernet1/3<BR />bridge-group 1<BR />nameif inside_2<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/4<BR />bridge-group 1<BR />nameif inside_3<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/5<BR />bridge-group 1<BR />nameif inside_4<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/6<BR />bridge-group 1<BR />nameif inside_5<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/7<BR />nameif int_video<BR />security-level 90<BR />ip address 192.168.79.1 255.255.255.0<BR />!<BR />interface GigabitEthernet1/8<BR />nameif VLANs<BR />security-level 100<BR />no ip address<BR />!<BR />interface GigabitEthernet1/8.78<BR />vlan 78<BR />nameif int_voz<BR />security-level 100<BR />ip address 192.168.78.1 255.255.255.0<BR />!<BR />interface GigabitEthernet1/8.127<BR />vlan 127<BR />nameif Int_visitantes<BR />security-level 100<BR />ip address 192.168.127.1 255.255.255.0<BR />!<BR />interface Management1/1<BR />management-only<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />interface BVI1<BR />nameif inside<BR />security-level 100<BR />ip address dhcp setroute<BR />!<BR />boot system disk0:/asa983-29-lfbff-k8.SPA<BR />ftp mode passive<BR />same-security-traffic permit inter-interface<BR />object network obj_any1<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any2<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any3<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any4<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any5<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any6<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any7<BR />subnet 0.0.0.0 0.0.0.0<BR />object network LAN-QTRO<BR />subnet 192.168.29.0 255.255.255.0<BR />object network LAN_PUE<BR />subnet 192.168.11.0 255.255.255.0<BR />object network LAN_PUE_USU<BR />subnet 192.168.17.0 255.255.255.0<BR />object network LAN-Visit<BR />subnet 192.168.127.0 255.255.255.0<BR />object network NVR<BR />host 192.168.79.10<BR />object network DVR-app<BR />host 192.168.79.10<BR />object network DVR-web<BR />host 192.168.79.10<BR />object network LAN_Voz<BR />subnet 192.168.78.0 255.255.255.0<BR />description red de voz<BR />object network LAN_NAUCALPAN<BR />subnet 192.168.18.0 255.255.255.0<BR />description red cargotecnia mexico<BR />object network test<BR />host 192.168.79.10<BR />object network obj_any<BR />subnet 0.0.0.0 0.0.0.0<BR />object network LAN_Video<BR />subnet 192.168.79.0 255.255.255.0<BR />object network Dvr-web<BR />object network DVR-test<BR />host 192.168.79.10<BR />object-group network DM_INLINE_NETWORK_1<BR />network-object object LAN_PUE<BR />network-object object LAN_PUE_USU<BR />access-list outside_cryptomap extended permit ip object LAN-QTRO object-group DM_INLINE_NETWORK_1<BR />access-list int_datos_access_in extended permit ip object LAN-QTRO any<BR />access-list outside_access_in extended permit ip any object DVR-app<BR />access-list outside_access_in extended permit icmp any any<BR />access-list outside_access_in extended permit tcp any host 192.168.79.10 eq https<BR />access-list int_video_access_in extended permit ip object LAN_Video any<BR />access-list outside_cryptomap_1 extended permit ip object LAN-QTRO object LAN_NAUCALPAN<BR />pager lines 24<BR />logging enable<BR />logging asdm informational<BR />mtu outside 1500<BR />mtu int_datos 1500<BR />mtu inside_2 1500<BR />mtu inside_3 1500<BR />mtu inside_4 1500<BR />mtu inside_5 1500<BR />mtu int_video 1500<BR />mtu VLANs 1500<BR />mtu int_voz 1500<BR />mtu Int_visitantes 1500<BR />icmp unreachable rate-limit 1 burst-size 1<BR />icmp permit any outside<BR />icmp permit any int_datos<BR />asdm image disk0:/asdm-792-152.bin<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />arp rate-limit 16384<BR />nat (int_datos,outside) source static LAN-QTRO LAN-QTRO destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup<BR />nat (int_datos,outside) source dynamic LAN-QTRO interface<BR />nat (Int_visitantes,outside) source dynamic LAN-Visit interface<BR />nat (int_voz,outside) source dynamic LAN_Voz interface<BR />nat (int_video,outside) source dynamic LAN_Video interface<BR />!<BR />object network DVR-app<BR />nat (int_video,outside) static interface service tcp 8000 52429<BR />object network DVR-web<BR />nat (int_video,outside) static interface service tcp https 53429<BR />object network DVR-test<BR />nat (int_video,outside) static interface service tcp https 53429<BR />access-group outside_access_in in interface outside<BR />access-group int_datos_access_in in interface int_datos<BR />access-group int_video_access_in in interface int_video<BR />route outside 0.0.0.0 0.0.0.0 IPGATEWAY 1<BR />timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />timeout conn-holddown 0:00:15<BR />timeout igp stale-route 0:01:10<BR />user-identity default-domain LOCAL<BR />aaa authentication enable console LOCAL<BR />aaa authentication ssh console LOCAL<BR />aaa authentication http console LOCAL<BR />aaa authentication login-history<BR />http server enable<BR />http 192.168.1.0 255.255.255.0 inside_2<BR />http 192.168.29.0 255.255.255.0 int_datos<BR />http 192.168.0.0 255.255.0.0 int_datos<BR />http 0.0.0.0 0.0.0.0 outside<BR />no snmp-server location<BR />no snmp-server contact<BR />service sw-reset-button<BR />.<BR /><BR />.<BR /><BR />.<BR /><BR /><BR />console timeout 0<BR /><BR />dhcp-client client-id interface inside<BR />dhcpd auto_config outside<BR />!<BR />dhcpd address 192.168.29.100-192.168.29.130 int_datos<BR />dhcpd dns 192.168.11.18 8.8.8.8 interface int_datos<BR />dhcpd option 3 ip 192.168.29.1 interface int_datos<BR />dhcpd enable int_datos<BR />!<BR />dhcpd address 192.168.79.50-192.168.79.55 int_video<BR />dhcpd dns 8.8.8.8 interface int_video<BR />dhcpd option 3 ip 192.168.79.1 interface int_video<BR />dhcpd enable int_video<BR />!<BR />dhcpd address 192.168.78.50-192.168.78.70 int_voz<BR />dhcpd dns 8.8.8.8 interface int_voz<BR />dhcpd option 3 ip 192.168.78.1 interface int_voz<BR />dhcpd enable int_voz<BR />!<BR />dhcpd address 192.168.127.10-192.168.127.30 Int_visitantes<BR />dhcpd dns 8.8.8.8 interface Int_visitantes<BR />dhcpd option 3 ip 192.168.127.1 interface Int_visitantes<BR />dhcpd enable Int_visitantes<BR />!<BR />priority-queue int_datos<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />group-policy GroupPolicy_X.X.X.X internal<BR />group-policy GroupPolicy_X.X.X.X attributes<BR />vpn-tunnel-protocol ikev1<BR />group-policy GroupPolicy_X.X.X.X internal<BR />group-policy GroupPolicy_1X.X.X.X attributes<BR />vpn-tunnel-protocol ikev1<BR />dynamic-access-policy-record DfltAccessPolicy<BR />!<BR />class-map inspection_default<BR />match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />parameters<BR />message-length maximum client auto<BR />message-length maximum 512<BR />no tcp-inspection<BR />policy-map global_policy<BR />class inspection_default<BR />inspect dns preset_dns_map<BR />inspect ftp<BR />inspect h323 h225<BR />inspect h323 ras<BR />inspect rsh<BR />inspect rtsp<BR />inspect esmtp<BR />inspect sqlnet<BR />inspect skinny<BR />inspect sunrpc<BR />inspect xdmcp<BR />inspect sip<BR />inspect netbios<BR />inspect tftp<BR />inspect ip-options<BR />!<BR />service-policy global_policy global<BR />prompt hostname context<BR />no call-home reporting anonymous<BR />Cryptochecksum:347297c9e6d2c5ea3638b6170b57b7bf<BR />: end Fri, 14 Jun 2019 14:56:39 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3873184#M28135 ahuertavazquez 2019-06-14T14:56:39Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3873354#M28136 <P>put these command and display it output of packet tracer.</P><P>&nbsp;</P><P>&nbsp;</P><P><BR />no nat (int_video,outside) source dynamic LAN_Video interface<BR />!<BR />object network LAN_Video<BR />subnet 192.168.79.0 255.255.255.0<BR />nat (int_video,outside) dynamic interface<BR />!<BR />object network DVR-web<BR />host 192.168.79.10<BR />nat (int_video,outside) static interface service tcp https 53429<BR />!<BR />access-list outside_access_in extended permit tcp any host 192.168.79.10 eq https<BR />!<BR />access-group outside_access_in in interface outside<BR />!<BR />packet-tracer input outside tcp 8.8.8.8 12345 X.X.X.X 53429<BR />!<BR />NOTE: X.X.X.X put your firewall outside ip address.</P> Fri, 14 Jun 2019 19:46:02 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3873354#M28136 Sheraz.Salim 2019-06-14T19:46:02Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3873399#M28137 This is my packet-tracert output<BR /><BR />ASA-QTRO#<BR />ASA-QTRO# packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429<BR /><BR />Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list<BR /><BR />Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 189.213.236.130 using egress ifc identity<BR /><BR />Phase: 3<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 4<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR /><BR />Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule<BR /><BR />ASA-QTRO# Fri, 14 Jun 2019 22:15:46 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3873399#M28137 ahuertavazquez 2019-06-14T22:15:46Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3873415#M28138 <P>hm.. can you try this please.</P><P>&nbsp;</P><P>object network DVR-web<BR />host 192.168.185.11</P><P>!</P><P>object service 53429<BR />service tcp source eq 53429</P><P>!</P><P>object service HTTP<BR />service tcp source eq https</P><P>!</P><P>nat (wireless-house,outside) source static DVR-web interface service HTTP 53429</P><P>!</P><P>packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429</P><P>!</P><P>if the above even does not work.share the output command "show nat detail"</P><P>&nbsp;</P> Fri, 14 Jun 2019 23:44:13 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3873415#M28138 Sheraz.Salim 2019-06-14T23:44:13Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3874442#M28139 I am assuming that the values ​​of "DVR-web" and the "wireless-house" interface in the nat are for simulation; because they are not the real values ​​that I have.<BR /><BR />taking into account thats, here is the output of the packet-tracert<BR /><BR />ASA-QTRO# packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429 det<BR /><BR />Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 189.213.236.130 using egress ifc identity<BR /><BR />Phase: 2<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x7fc55ccc6390, priority=0, domain=nat-per-session, deny=false<BR />hits=139164, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=any, output_ifc=any<BR /><BR />Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x7fc55d8f73a0, priority=0, domain=permit, deny=true<BR />hits=21780, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any<BR /><BR />Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule<BR /><BR /><BR /> Mon, 17 Jun 2019 17:00:18 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3874442#M28139 ahuertavazquez 2019-06-17T17:00:18Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3875167#M28140 <P>I applied the lines on ASA</P><P>I am assuming that the values ​​of DVR-web and in the nat wireles-house are for simulaicon since these<BR />values ​​are not what I have in the configuration.</P><P>This is my packet-tracert output:</P><P>&nbsp;</P><P>ASA-QTRO#<BR />ASA-QTRO# packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429 $</P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 189.213.236.130 using egress ifc identity</P><P>Phase: 2<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x7fc55ccc6390, priority=0, domain=nat-per-session, deny=false<BR />hits=188011, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=any, output_ifc=any</P><P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x7fc55d8f73a0, priority=0, domain=permit, deny=true<BR />hits=27329, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Tue, 18 Jun 2019 15:18:40 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3875167#M28140 ahuertavazquez 2019-06-18T15:18:40Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3875199#M28141 I applied the lines on ASA<BR /><BR />I am assuming that the values ​​of DVR-web and in the nat wireles-house are for simulaicon since these<BR />values ​​are not what I have in the configuration.<BR /><BR />This is my packet-tracert output:<BR /><BR /><BR /><BR />ASA-QTRO#<BR />ASA-QTRO# packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429 $<BR /><BR />Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 189.213.236.130 using egress ifc identity<BR /><BR />Phase: 2<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x7fc55ccc6390, priority=0, domain=nat-per-session, deny=false<BR />hits=188011, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=any, output_ifc=any<BR /><BR />Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x7fc55d8f73a0, priority=0, domain=permit, deny=true<BR />hits=27329, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any<BR /><BR />Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule<BR /><BR /><BR /> Tue, 18 Jun 2019 15:57:48 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506x/m-p/3875199#M28141 ahuertavazquez 2019-06-18T15:57:48Z