Hi Baliji,

Thank you for you quick response.

They have provided me with an IP address and two ports that I should allow through, however I have tried to allow this but it does not work.

Here is the access-list entry:

access-list LAN_access_in line 2 extended permit udp host 212.250.xxx.xxx object-group Wifi_4G host 192.168.145.0 (hitcnt=2) 0x0c3e1c01
access-list LAN_access_in line 2 extended permit udp host 212.250.xxx.xxx eq 34777 host 192.168.145.0 (hitcnt=2) 0xcbe74acb
access-list LAN_access_in line 2 extended permit udp host 212.250.xxx.xxx eq 5303 host 192.168.145.0 (hitcnt=0) 0x70c511cb

thank you.

192.168.145.0 <- this private IP so you need NAT'

Are yoh config any NAT?

MHM

This is the NAT entry:

(Outside) to (any) source static 4G Subnet_Public
translate_hits = 0, untranslate_hits = 1
Source - Origin: 212.250.xxx.xxx/32, Translated: 192.168.145.0/24

@garyspcnpa Are 34777 and 5303 the destination ports not the source ports?

If so, amend your rules as below..

access-list LAN_access_in permit udp object-group Wifi_4G host 192.168.145.0 eq 34777
access-list LAN_access_in permit udp object-group Wifi_4G host 192.168.145.0 eq 5303

If you still have a problem run packet-tracer to simulate the traffic flow, provide the output for review.

You can also take a packet capture of the traffic from 212.250.x.x to confirm what is sent/received.

Hi Rob,

Thanks for the information you provided.  I have deleted the original access list entry, but when I enter the new one I get the following error:

access-list LAN_access_in permit udp object-group Wifi_4G host 192 ^.168.145.0 eq 34777

ERROR: % Invalid input detected at '^' marker.

Thanks

@garyspcnpa try this, amend if required.

access-list LAN_access_in extended permit udp host 212.250.x.x host 192.168.145.0 eq 34777
access-list LAN_access_in extended permit udp host 212.250.x.y host 192.168.145.0 eq 5303

@garyspcnpa you have specified the wrong source/input interface, the source interface would be the outside interface

packet-tracer input <outside interface name> UDP 212.250.x.x 34777 192.168.145.0 80

Hi Rob,

This is the output when changing the packet tracer:

packet-tracer input outside udp 212.250.x.x 34777 192.168.145.0 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.145.0 255.255.255.0 LAN

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,any) after-auto source static Subnet_Public Subnet_CH_Public destination static CH_4G CH_4G service any WireGuard2
Additional Information:
NAT divert to egress interface LAN
Untranslate 192.168.145.0/80 to 192.168.145.0/80

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: JaNet
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

@garyspcnpa

Just re-reading your original question, can you confirm traffic is from inside to outside? The booster is in 192.168.145.0/24 (LAN) and communicating with 212.250.x.x (JaNet)?

Which interface and direction is the ACL "LAN_access_in" applied? If it is actually inbound on the LAN interfaces then you would need to reverse the source and destination networks.

Confirm the answer to the questions above, also provide the full configuration would make things easier to understand.

(Outside) to (any) source static 4G Subnet_Public

This NAT is wrong 

It must be 

NAT(Inside'Outside) source statci 4G Subnet_Public

This correct NAT.

MHM