@AmmarHermiz14196 if you wish to permit inbound traffic to your PiVPN, then that Access Control Rule is incorrect.

You need to write the rule from outside to inside and use the real IP address for the destination server.

Src Zone: outside_zone
Src Net: any
Dst Zone: connection-to-ras-pi
Dst Net: <REAL IP ADDRESS OF RASPBERRY PI>
Dst Ports: ????

You should also define the only the required ports in the Dst Ports (seeing as you are translating all ports in the NAT rule).

The example guide previously provided in the initial response demonstrates how to create the NAT rule for inbound access from the internet and the Access Control rule, just amend to fit your requirements.

also additional to @Rob Ingram  mention about the ACL, what is IP 192.168.75.201/29 you use as INterface ?

Good morning @Rob Ingram, @MHM Cisco World I would start with thanking you guys!!! 

The IP 192.168.75.201/29 is IP created for the interface on FRP for the Ras-Pi where is going to be connected. so the Ras-Pi would have an IP of 192.168.75.201/29.

So the Dst Zone: connection-to-ras-pi would have the above IP 192.168.75.201/29

@Rob Ingram 

Src Zone: outside_zone
Src Net: any
Dst Zone: connection-to-ras-pi 192.168.75.201/29 Do I need to create DHCP server for that IP address ???
Dst Net: <REAL IP ADDRESS OF RASPBERRY PI>  192.168.75.201/29
Dst Ports: Pi-VPN use port UDP 51820 

What about the NAT rule is it correct??

Thanks,

Ammar

what @Rob Ingram  mention here you need ACL from traffic from Ras-Pi to OUTside and one other from OUTside to Ras-Pi

@AmmarHermiz14196 

The IP 192.168.75.201/29 is IP created for the interface on FRP for the Ras-Pi where is going to be connected. so the Ras-Pi would have an IP of 192.168.75.201/29.

If the interface of the FPR1010 is 192.168.75.201 then the raspberry pi's real/actual ip address won't be 192.168.75.201, it will be an IP address in the same network as the FPR1010 interface.

The zone is NOT an IP address. If you are confused, just leave the dst zone as "any" assuming the src zone is "outside", that will work.

Just define the actual/real IP address of the raspberry pi in the Access Control rule, not the NAT IP address.

The NAT rule will work. If you just want to NAT 51820, then specify the port in the NAT rule, only traffic to that port will be translated.

@Rob Ingram I think he have INside interface connect to L3SW or Router that Ras-Pi connect to it. 
that way the subnet is different between INside interface and Ras-Pi 
and for Zone is use correct one but he mention IP to clear point of differ subnet.
am I right @AmmarHermiz14196 

From the previous post it looks like the IP address of the raspberry pi is 192.168.90.2 <<< so this is the IP address that needs to be defined as the dst network/host in the Access Control rule.

Src Zone: outside_zone
Src Net: any
Dst Zone: connection-to-ras-pi  or any
Dst Net: 192.168.90.2
Dst Ports:  UDP 51820 

I think he use object network and use host IP 192.168.90.2 under object 

He does have an object called "public-ip" which is used in the NAT rule and the Access Control rule, but the IP address is 192.168.20.2. Hence the request to use the acutal/real IP address in the Access Control rule.

Src address : Ras-Pi device will have IP address 192.168.75.220/24 (( I changed the sub netmask to CIDR 24)) Ras-Pi device will have gateway IP 192.168.75.201

Src Network: Interface on FRP1010 where the Ras-Pi will plugged in will have an IP 192.168.75.201/24 (( I changed the sub netmask to CIDR 24))

Dst Zone: ANY

Dst network : 192.168.20.2/24 ( public IP )

let me know please if that sounds right?

@MHM Cisco World  

I have 6 networks. 5 of them connected to SW1. I have each network dedicated port on FRP1010 and 1 network is connected to SW2. I have NATing and access lists between all 6 networks, they all can see each other except Guest Network can't see them.    

@Rob Ingram 

The IP 192.168.75.201/29 is IP created for the interface on FRP for the Ras-Pi where is going to be connected. so the Ras-Pi would have an IP of 192.168.75.201/29.

If the interface of the FPR1010 is 192.168.75.201 then the raspberry pi's real/actual ip address won't be 192.168.75.201, it will be an IP address in the same network as the FPR1010 interface. I see what are saying here. Interface on the FPR1010 is 192.168.75.201/29 in this case Ras-Pi IP address would be 192.168.75.220/29 correct??

The zone is NOT an IP address. If you are confused, just leave the dst zone as "any" assuming the src zone is "outside", that will work.

Just define the actual/real IP address of the raspberry pi in the Access Control rule, not the NAT IP address. When I create the zone I have to pick the interface where the Ras-Pi going to be plugged in. I cant specify specific IP address??? 

The NAT rule will work. If you just want to NAT 51820, then specify the port in the NAT rule, only traffic to that port will be translated.

@AmmarHermiz14196 in one of your screenshots the IP address of the raspberry pi was 192.168.90.2??

Just define the real/actual IP address of the raspberry pi, whatever it is.

The security zone references the name of the interface(s), so use which ever interface the raspberry pi is connected to.

@Rob Ingram if I understood you correctly.

Src interface and Src address they should be different?