Thanks Jon,

Server does use teh ASA as its GW.

Packet tracer shows (on the working setups with udp 9987 and tcp 443) that the packet is dropped, but I assure you it works. So I am less confident in that. It shows dropped in the NAT area.

When I test on the tcp/8082, it shows the same thing but doesn't work.

I just noticed my packet tracer to the server with issues was wrong IP, I ran it again, no NAT failure, but the failure is in ACL, implicit one??

Jeff

Sorry, don't use ASDM but on the CLI the command should be -

"packet-tracer input outside tcp x.x.x.x 12345 <public IP of server> 8082"

where x.x.x.x can be any public IP.

Jon

Better:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static server01 interface service map-server01 map-server01
Additional Information:
NAT divert to egress interface inside
Untranslate externalIP/8082 to 192.168.1.26/8082

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object server01 eq 8082
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static server01 interface service map-server01 map-server01
Additional Information:
Static translate 55.44.33.43/12345 to 55.44.33.43/12345

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static server01 interface service map-server01 map-server01
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 815269, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

NOw, with the GUI packet tracer, I noticed (in screenshot) it was dropped by implicit deny..the only one I have well, the Global ACL has only a deny, I added a quick "ip any any" and it works now. WHy is it reading global first before the Outside ACL? Never used Global in teh years of ASA fiddling. Should I just use Global and not the OUtside rules?

As far as I am aware global acls are applied after interface acls so it should have worked.

Jon

Ill confirm that if I copy the exact acl from the outside interface ACL, and move to Global, it works as I'd expect, for all my services. So I could do that as a fix, but now I'm stumped as to why it is not reading the outside ACL at all, well it is for some but not all.

Can you just use the outside interface acl without a global or don't permit in the global and then run -

a packet tracer to a server that is working and a packet tracer to this one that isn't and we'll see if we can spot the difference.

Jon

WIthout the Global allows (still allowed in OUTSIDE), non-working then working entries:

asa# packet-tracer input outside tcp 55.44.33.43 12345 ExternalIP 8082

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static server01 interface service map-server01 map-server01
Additional Information:
NAT divert to egress interface inside
Untranslate ExternalIP/8082 to 192.168.1.26/8082

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object server01 eq 8082
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static server01 interface service map-server01 map-server01
Additional Information:
Static translate 55.44.33.43/12345 to 55.44.33.43/12345

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static server01 interface service map-server01 map-server01
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 820631, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

asa#
asa#
asa#
asa#
asa#
asa#
asa#
asa#
asa# packet-tracer input outside tcp 55.44.33.43 12345 ExternalIP 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static nas01 interface service HTTPS HTTPS
Additional Information:
NAT divert to egress interface inside
Untranslate ExternalIP/443 to 192.168.1.15/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object nas01 eq https
access-list outside_access_in remark PLEX Media Server
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static nas01 interface service HTTPS HTTPS
Additional Information:
Static translate 55.44.33.43/12345 to 55.44.33.43/12345

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static nas01 interface service HTTPS HTTPS
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 820656, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Sorry about delay in responding.

They are both working according to your outputs ie. the ASA is allowing them both.

Not entirely sure what is happening here.

Can you post output of "sh nat" ?

Jon

NP!

Here is the show nat:

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static nas01 interface service teamspeak teamspeak
translate_hits = 5, untranslate_hits = 14
2 (inside) to (outside) source static nas01 interface service plex plex
translate_hits = 91, untranslate_hits = 109
3 (inside) to (outside) source static nas01 interface service HTTPS HTTPS
translate_hits = 470, untranslate_hits = 533
4 (inside) to (outside) source static server01 interface service map-server01 map-server01
translate_hits = 19, untranslate_hits = 19

Auto NAT Policies (Section 2)
1 (outside) to (inside) source static google-dns interface service udp domain domain
translate_hits = 0, untranslate_hits = 294
2 (any) to (outside) source dynamic DynamicNAT interface
translate_hits = 820690, untranslate_hits = 379504

Here is the show access-list output with the global only using the implicit deny:

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inside_access_in; 2 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit ip any any (hitcnt=901619) 0xa925365e
access-list inside_access_in line 2 extended permit icmp any any (hitcnt=0) 0xd6183fb5
access-list outside_access_in; 9 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any object server01 eq 8082 (hitcnt=0) 0xbc5416d5
access-list outside_access_in line 1 extended permit tcp any host 192.168.1.26 eq 8082 (hitcnt=14) 0xbc5416d5
access-list outside_access_in line 2 extended permit tcp any object nas01 eq https (hitcnt=0) 0x321e9a6e
access-list outside_access_in line 2 extended permit tcp any host 192.168.1.15 eq https (hitcnt=536) 0x321e9a6e
access-list outside_access_in line 3 remark PLEX Media Server
access-list outside_access_in line 4 extended permit tcp any object nas01 eq 32400 (hitcnt=0) 0x3fcc3cbb
access-list outside_access_in line 4 extended permit tcp any host 192.168.1.15 eq 32400 (hitcnt=109) 0x3fcc3cbb
access-list outside_access_in line 5 remark 7dtd Map
access-list outside_access_in line 6 extended permit tcp any object game02 object-group DM_INLINE_TCP_2 (hitcnt=0) 0x5daed978
access-list outside_access_in line 6 extended permit tcp any host 192.168.1.136 eq 9081 (hitcnt=0) 0x6e5306f6
access-list outside_access_in line 6 extended permit tcp any host 192.168.1.136 eq 9082 (hitcnt=0) 0x6f5a69d6
access-list outside_access_in line 6 extended permit tcp any host 192.168.1.136 eq 28900 (hitcnt=0) 0x440f518f
access-list outside_access_in line 7 remark TeamSpeak
access-list outside_access_in line 8 extended permit udp any object nas01 eq 9987 (hitcnt=0) 0xfd02c985
access-list outside_access_in line 8 extended permit udp any host 192.168.1.15 eq 9987 (hitcnt=7) 0xfd02c985
access-list outside_access_in line 9 extended permit icmp any any (hitcnt=25580) 0x71af81e1
access-list outside_access_in line 10 extended deny ip any interface outside log informational interval 300 (hitcnt=0) 0x5908dec3
access-list global_access; 2 elements; name hash: 0xbd6c87a7
access-list global_access line 1 extended permit tcp any object server01 eq 8082 inactive (hitcnt=0) (inactive) 0xfcd59970
access-list global_access line 1 extended permit tcp any host 192.168.1.26 eq 8082 inactive (hitcnt=0) (inactive) 0xfcd59970
access-list global_access line 2 extended permit tcp any object nas01 eq 32400 inactive (hitcnt=0) (inactive) 0xebf9585d
access-list global_access line 2 extended permit tcp any host 192.168.1.15 eq 32400 inactive (hitcnt=0) (inactive) 0xebf9585d

I did some more testing just now, I was going to output the show access-list when it is working and when it is not (not in global), however it is working as intended now. Global back to only the implicit deny, and my other rules in OUTSIDE are working.

No idea what happened. I banged my head on the wall since sunday on this. The only thing I did different today was added the allow rule to the global (which worked) then removed them and now it works like expected. I'm at a loss. But it is working at the least!

Thank you for all the assistance and looking this over with me.