Hi,

Here is the detailed output:

Thank you

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.4.10 using egress ifc Trusted

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any4 object LoungeMini eq 32400
access-list outside_access_in remark Allow traffic to Alarm System
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddd46100, priority=13, domain=permit, deny=false
hits=23, user_data=0x7fffe41b1940, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.0.4.10, mask=255.255.255.255, port=32400, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffdd3f6be0, priority=0, domain=nat-per-session, deny=false
hits=2288876, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddb31a00, priority=0, domain=inspect-ip-options, deny=true
hits=1731246, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffde786990, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=3115, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (Trusted,outside) source static LoungeMini interface service Obj-Plex-source Obj-Plex-source
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffddd29990, priority=6, domain=nat-reverse, deny=false
hits=6, user_data=0x7fffddd4ae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.0.4.10, mask=255.255.255.255, port=32400, tag=any, dscp=0x0
input_ifc=outside, output_ifc=Trusted

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: Trusted
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi Jon,

Please note that you are doing the packet tracer to the IP address 10.0.4.10. But you have the NAT configured on the ASA with the interface IP mapping to 10.0.4.10 when the destination port is 32400.

nat (Trusted,outside) source static LoungeMini interface service Obj-Plex-source Obj-Plex-source

Please do the packet tracer with the correct IP address with the destination as the interface IP of the outside.

packet-tracer input outside tcp 8.8.8.8 2342 <outside interface IP> 32400

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hi,

Here is the detail (actual external ip changed post running):

I believed packet-tracer needs to be ran with the post NAT address rather than the pre.

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 123.123.123.123 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffdd3f6be0, priority=0, domain=nat-per-session, deny=false
hits=2308017, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddb2b080, priority=0, domain=permit, deny=true
hits=300364, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule