When I applyed cli command this show next message:

 

ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded

ASA-QTRO# packet-tracer input outside tcp 8.8.8.8 12345 IP_outside_ASA 53429

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP_outside_ASA using egress ifc identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

share your firewall config in order to fix the issue.

Sure, this is my configuration:



: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(3)29
!
hostname ASA
enable password PASS
names
no mac-address auto

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface GigabitEthernet1/2
nameif int_datos
security-level 100
ip address 192.168.29.1 255.255.255.0
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
nameif int_video
security-level 90
ip address 192.168.79.1 255.255.255.0
!
interface GigabitEthernet1/8
nameif VLANs
security-level 100
no ip address
!
interface GigabitEthernet1/8.78
vlan 78
nameif int_voz
security-level 100
ip address 192.168.78.1 255.255.255.0
!
interface GigabitEthernet1/8.127
vlan 127
nameif Int_visitantes
security-level 100
ip address 192.168.127.1 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address dhcp setroute
!
boot system disk0:/asa983-29-lfbff-k8.SPA
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network LAN-QTRO
subnet 192.168.29.0 255.255.255.0
object network LAN_PUE
subnet 192.168.11.0 255.255.255.0
object network LAN_PUE_USU
subnet 192.168.17.0 255.255.255.0
object network LAN-Visit
subnet 192.168.127.0 255.255.255.0
object network NVR
host 192.168.79.10
object network DVR-app
host 192.168.79.10
object network DVR-web
host 192.168.79.10
object network LAN_Voz
subnet 192.168.78.0 255.255.255.0
description red de voz
object network LAN_NAUCALPAN
subnet 192.168.18.0 255.255.255.0
description red cargotecnia mexico
object network test
host 192.168.79.10
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN_Video
subnet 192.168.79.0 255.255.255.0
object network Dvr-web
object network DVR-test
host 192.168.79.10
object-group network DM_INLINE_NETWORK_1
network-object object LAN_PUE
network-object object LAN_PUE_USU
access-list outside_cryptomap extended permit ip object LAN-QTRO object-group DM_INLINE_NETWORK_1
access-list int_datos_access_in extended permit ip object LAN-QTRO any
access-list outside_access_in extended permit ip any object DVR-app
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 192.168.79.10 eq https
access-list int_video_access_in extended permit ip object LAN_Video any
access-list outside_cryptomap_1 extended permit ip object LAN-QTRO object LAN_NAUCALPAN
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu int_datos 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu int_video 1500
mtu VLANs 1500
mtu int_voz 1500
mtu Int_visitantes 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any int_datos
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (int_datos,outside) source static LAN-QTRO LAN-QTRO destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
nat (int_datos,outside) source dynamic LAN-QTRO interface
nat (Int_visitantes,outside) source dynamic LAN-Visit interface
nat (int_voz,outside) source dynamic LAN_Voz interface
nat (int_video,outside) source dynamic LAN_Video interface
!
object network DVR-app
nat (int_video,outside) static interface service tcp 8000 52429
object network DVR-web
nat (int_video,outside) static interface service tcp https 53429
object network DVR-test
nat (int_video,outside) static interface service tcp https 53429
access-group outside_access_in in interface outside
access-group int_datos_access_in in interface int_datos
access-group int_video_access_in in interface int_video
route outside 0.0.0.0 0.0.0.0 IPGATEWAY 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.29.0 255.255.255.0 int_datos
http 192.168.0.0 255.255.0.0 int_datos
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
.

.

.


console timeout 0

dhcp-client client-id interface inside
dhcpd auto_config outside
!
dhcpd address 192.168.29.100-192.168.29.130 int_datos
dhcpd dns 192.168.11.18 8.8.8.8 interface int_datos
dhcpd option 3 ip 192.168.29.1 interface int_datos
dhcpd enable int_datos
!
dhcpd address 192.168.79.50-192.168.79.55 int_video
dhcpd dns 8.8.8.8 interface int_video
dhcpd option 3 ip 192.168.79.1 interface int_video
dhcpd enable int_video
!
dhcpd address 192.168.78.50-192.168.78.70 int_voz
dhcpd dns 8.8.8.8 interface int_voz
dhcpd option 3 ip 192.168.78.1 interface int_voz
dhcpd enable int_voz
!
dhcpd address 192.168.127.10-192.168.127.30 Int_visitantes
dhcpd dns 8.8.8.8 interface Int_visitantes
dhcpd option 3 ip 192.168.127.1 interface Int_visitantes
dhcpd enable Int_visitantes
!
priority-queue int_datos
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_1X.X.X.X attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:347297c9e6d2c5ea3638b6170b57b7bf
: end

put these command and display it output of packet tracer.

 

 

no nat (int_video,outside) source dynamic LAN_Video interface
!
object network LAN_Video
subnet 192.168.79.0 255.255.255.0
nat (int_video,outside) dynamic interface
!
object network DVR-web
host 192.168.79.10
nat (int_video,outside) static interface service tcp https 53429
!
access-list outside_access_in extended permit tcp any host 192.168.79.10 eq https
!
access-group outside_access_in in interface outside
!
packet-tracer input outside tcp 8.8.8.8 12345 X.X.X.X 53429
!
NOTE: X.X.X.X put your firewall outside ip address.

This is my packet-tracert output

ASA-QTRO#
ASA-QTRO# packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 189.213.236.130 using egress ifc identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-QTRO#

hm.. can you try this please.

 

object network DVR-web
host 192.168.185.11

!

object service 53429
service tcp source eq 53429

!

object service HTTP
service tcp source eq https

!

nat (wireless-house,outside) source static DVR-web interface service HTTP 53429

!

packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429

!

if the above even does not work.share the output command "show nat detail"

 

I am assuming that the values ​​of "DVR-web" and the "wireless-house" interface in the nat are for simulation; because they are not the real values ​​that I have.

taking into account thats, here is the output of the packet-tracert

ASA-QTRO# packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429 det

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 189.213.236.130 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc55ccc6390, priority=0, domain=nat-per-session, deny=false
hits=139164, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc55d8f73a0, priority=0, domain=permit, deny=true
hits=21780, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I applied the lines on ASA

I am assuming that the values ​​of DVR-web and in the nat wireles-house are for simulaicon since these
values ​​are not what I have in the configuration.

This is my packet-tracert output:

 

ASA-QTRO#
ASA-QTRO# packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429 $

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 189.213.236.130 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc55ccc6390, priority=0, domain=nat-per-session, deny=false
hits=188011, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc55d8f73a0, priority=0, domain=permit, deny=true
hits=27329, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I applied the lines on ASA

I am assuming that the values ​​of DVR-web and in the nat wireles-house are for simulaicon since these
values ​​are not what I have in the configuration.

This is my packet-tracert output:



ASA-QTRO#
ASA-QTRO# packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429 $

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 189.213.236.130 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc55ccc6390, priority=0, domain=nat-per-session, deny=false
hits=188011, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc55d8f73a0, priority=0, domain=permit, deny=true
hits=27329, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule