The external server will be making the SNMP request to the internal device.

The packet trace results in action allow.  Seems like this should mean it's working.  Let me get back with the vendor and see if he's seeing it now.  Thanks for your help.  I'll post back when I've determined how it looks to the vendor now.

No, that didn't fix the problem.  Back to the drawing board.

Can you just check the other way ie.

"packet-tracer input inside udp <real server IP> 161 <external server IP> 12345"

Also is this device on the inside accessble via any other ports to the vendor ?

Jon

That also results in an allow.  And yes the device on the inside is accessible via port 80 to the vendor.

Think you might need a new vendor :-)

Unless you are doing some sort of NAT on their source IP as it comes through your firewall and you haven't set that up for this connection I can't see what is wrong.

You would only need to do this type of NAT if the devices didn't send the traffic back to the ASA either direct or via other L3 devices internally.

It is unlikely this is the problem but I have seen it.

Other than that you are going to have to do some packet captures on the firewall I think to see if you are -

1) seeing the UDP packets leaving the inside interface to the device

and

2) seeing the return UDP packets on the inside interface being sent back from the device

This is a link on how to setup the capture but obviously you need to liase with your vendor to test and I would do it in a quiet time -

https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

if you want to post the configuration by all means do and someone may spot something.

Jon

Thanks very much for the help.  You've pretty much confirmed what I thought.  I'm going back to the vendor and ask him where if anywhere does he have this working!