All,

I've tried setting up some simple port forwarding on my ASA, where I want to forward one port on the external interface for both UDP and TCP to the same port on an internal server.

It works fine for UDP, but all TCP packets are dropped on the outside interface, even though the configuration for UDP and TCP is basically the same! This is my config:

object network MY_SERVER

host 10.10.1.4

object service TCP_MY_SERVICE

service tcp destination eq 47500

object service UDP_MY_SERVICE

service udp destination eq 47500

nat (OUTSIDE,INSIDE) source static any any destination static interface MY_SERVER service UDP_MY_SERVICE UDP_MY_SERVICE

nat (OUTSIDE,INSIDE) source static any any destination static interface MY_SERVER service TCP_MY_SERVICE TCP_MY_SERVICE

access-list OUTSIDE_IN line 1 extended permit tcp any object MY_SERVER eq 47500

access-list OUTSIDE_IN line 2 extended permit udp any object MY_SERVER eq 47500

access-list OUTSIDE_IN line 3 extended deny ip any any log

Port count goes up on line 2 (UDP) but never for line 1. I just see the packet denied instead. Same thing happens in the packet tracer, a packet destined for my external interface on that port for UDP is allowed and NAT'd just fine. TCP it gets dropped by the ACL on the outside interface.

Where am I going wrong?!