I currently have configured:

access-list outside_cryptomap_35 extended permit ip object-group INDIA-XY-SERVERS object-group AMS-XY-SERVERS
access-list outside_access_in extended permit tcp object-group AMS-XY-SERVERS object-group INDIA-XY-SERVERS
access-list PROD extended permit tcp host AMS-PROD host INDIA-XYC eq 6004
access-list TEST extended permit tcp host AMS-PROD host INDIA-XYC eq 6005
!...

....

!
ip verify reverse-path interface inside
!

....

!

global (inside) 101 MIP-TEST
global (inside) 100 MIP-PROD
nat (outside) 100 access-list PROD
nat (outside) 101 access-list TEST
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 125.21.37.9 1

MC-India# packet-tracer input inside tcp 10.127.200.12 40000 10.81.34.55 6004 det

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.81.34.0      255.255.255.0   inside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   AMS-PROD        255.255.255.255 outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

MC-India#

This last bit, Reverse-path, is giving me a headache...

Hello,

I see, so the destination where is it exactly located? On the AMD Prod or on the inside? Can you paste the output of the show asp table routing? The main issue here is that the ASA can see 2 routes and  dependeing on the NAT statements that you have he may think it as asymetric.

Cheers.

Mike

Mike,

sessions from 10.127.200.12 coming accross the VPN tunnel from the outside need to be translated into either 10.81.34.97 (port 6004) and 10.81.34.97 (port 6005) to the 10.81.34.55 server. This one only accepts sessions from 10.81.34.0/24 on the inside.

the requested routing table..

MC-India# sho asp table routing

in   255.255.255.255 255.255.255.255 identity
in   125.21.37.10    255.255.255.255 identity
in   192.168.1.1     255.255.255.255 identity
in   FW-IN-LAN       255.255.255.255 identity
in   AMS-DB          255.255.255.255 outside
in   AMS-PROD        255.255.255.255 outside
in   AMS-DG          255.255.255.255 outside
in   125.21.37.8     255.255.255.252 outside
in   10.81.34.0      255.255.255.0   inside
in   0.0.0.0         0.0.0.0         outside
out  255.255.255.255 255.255.255.255 management
out  224.0.0.0       240.0.0.0       management
out  255.255.255.255 255.255.255.255 inside
out  10.81.34.0      255.255.255.0   inside
out  224.0.0.0       240.0.0.0       inside
out  255.255.255.255 255.255.255.255 outside
out  AMS-DB          255.255.255.255 via 125.21.37.9, outside
out  AMS-PROD        255.255.255.255 via 125.21.37.9, outside
out  AMS-DG          255.255.255.255 via 125.21.37.9, outside
out  125.21.37.8     255.255.255.252 outside
out  224.0.0.0       240.0.0.0       outside
out  0.0.0.0         0.0.0.0         via 125.21.37.9, outside
out  0.0.0.0         0.0.0.0         via 0.0.0.0, identity
out  ::              ::              via 0.0.0.0, identity
MC-India#

LS,

Using the following static I do get the desired result for one session...

MC-India(config)# static (outside,inside) MIP-TEST AMS-PROD netmask 255.255.25$
MC-India(config)#
MC-India# sho nat

NAT policies on Interface outside:
  match ip outside host AMS-PROD inside any
    static translation to MIP-TEST
    translate_hits = 0, untranslate_hits = 0
MC-India#
MC-India# clear logging buff
MC-India# sho capture
capture in-cap type raw-data interface inside [Capturing - 1244 bytes]
MC-India# sho capture in-cap decode det

17 packets captured

   1: 20:24:54.124367 c84c.7522.49cb 0014.5e15.699d 0x0800 82: 10.81.34.98.33109 > 10.81.34.55.6005: S [tcp sum ok] 21689707:21689707(0) win 49640 (DF) (ttl 63, id 59322)
   2: 20:24:54.124520 0014.5e15.699d ffff.ffff.ffff 0x0806 60: arp who-has 10.81.34.98 (ff:ff:ff:ff:ff:ff) tell 10.81.34.55
   3: 20:24:54.124612 c84c.7522.49cb 0014.5e15.699d 0x0806 42: arp reply 10.81.34.98 is-at c8:4c:75:22:49:cb
   4: 20:24:54.124718 0014.5e15.699d c84c.7522.49cb 0x0800 66: 10.81.34.55.6005 > 10.81.34.98.33109: S [tcp sum ok] 714406307:714406307(0) ack 21689708 win 5520 (DF) (ttl 64, id 39269)
   5: 20:24:54.328352 c84c.7522.49cb 0014.5e15.699d 0x0800 54: 10.81.34.98.33109 > 10.81.34.55.6005: . [tcp sum ok] 21689708:21689708(0) ack 714406308 win 49680 (DF) (ttl 63, id 59323)
   6: 20:25:05.598144 c84c.7522.49cb 0014.5e15.699d 0x0800 60: 10.81.34.98.33109 > 10.81.34.55.6005: P [tcp sum ok] 21689708:21689714(6) ack 714406308 win 49680 (DF) (ttl 63, id 59324)

A telnet to 10.81.34.55 6005 does work.

If i do it using:

MC-India(config)# access-list TEST extended permit ip host AMS-PROD host INDIA$
MC-India(config)# static (outside,inside) MIP-TEST access-list TEST
MC-India(config)#
MC-India#
MC-India# sho nat

NAT policies on Interface outside:
  match ip outside host AMS-PROD inside host INDIA-MC
    static translation to MIP-TEST
    translate_hits = 0, untranslate_hits = 0
MC-India#

Same positive result...

Now make it aware of portnumbers..

access-list TEST extended permit tcp host AMS-PROD host INDIA-MC eq 6005

MC-India(config)# static (outside,inside) tcp MIP-TEST 6005 access-list TEST
ERROR: Missing local port in access-list used in static pat
MC-India(config)#

Adding the local port is not a solution as this port number is variable....

I also have tried the following...

access-list TEST extended permit tcp host AMS-PROD host INDIA-MC eq 6005
global (inside) 5 MIP-TEST
nat (outside) 5 access-list TEST

for whatever reason the translation does not work.

Nov 23 2010 21:30:46: %ASA-7-609001: Built local-host outside:AMS-PROD
Nov 23 2010 21:30:46: %ASA-7-609001: Built local-host inside:INDIA-MC
Nov 23 2010 21:30:46: %ASA-6-302013: Built inbound TCP connection 5622 for outside:AMS-PROD/33112 (AMS-PROD/33112) to inside:INDIA-MC/6005 (INDIA-MC/6005)
Nov 23 2010 21:31:08: %ASA-6-302014: Teardown TCP connection 5622 for outside:AMS-PROD/33112 to inside:INDIA-MC/6005 duration 0:00:22 bytes 0 TCP Reset-O
Nov 23 2010 21:31:08: %ASA-7-609002: Teardown local-host outside:AMS-PROD duration 0:00:22
Nov 23 2010 21:31:08: %ASA-7-609002: Teardown local-host inside:INDIA-MC duration 0:00:22
MC-India(config)# sho capture in-cap deco det

4 packets captured

   1: 21:30:46.117852 c84c.7522.49cb 0014.5e15.699d 0x0800 82: 10.127.200.12.33112 > 10.81.34.55.6005: S [tcp sum ok] 266933649:266933649(0) win 49640 (DF) (ttl 63, id 40057)
   2: 21:30:49.503559 c84c.7522.49cb 0014.5e15.699d 0x0800 82: 10.127.200.12.33112 > 10.81.34.55.6005: S [tcp sum ok] 266933649:266933649(0) win 49640 (DF) (ttl 63, id 40058)
   3: 21:30:56.273301 c84c.7522.49cb 0014.5e15.699d 0x0800 66: 10.127.200.12.33112 > 10.81.34.55.6005: S [tcp sum ok] 266933649:266933649(0) win 49640 (DF) (ttl 63, id 40059)
   4: 21:31:08.863206 c84c.7522.49cb 0014.5e15.699d 0x0800 54: 10.127.200.12.33112 > 10.81.34.55.6005: R [tcp sum ok] 266933650:266933650(0) win 49640 (DF) (ttl 63, id 40060)
4 packets shown
MC-India(config)#

Who knows how to proceed...

What is the solution...

Willem

All,,

it is solved using:

access-list PROD extended permit tcp host 10.127.200.12 host 10.81.34.55 eq 6004
access-list TEST extended permit tcp host 10.127.200.12 host 10.81.34.55 eq 6005
access-list TEST1 extended permit tcp host 10.81.34.55 eq 6005 host 10.127.200.12
access-list PROD1 extended permit tcp host 10.81.34.55 eq 6004 host 10.127.200.12
....
global (inside) 4 10.81.34.97 netmask 255.255.255.255
global (inside) 5 10.81.34.98 netmask 255.255.255.255
nat (outside) 4 access-list PROD outside
nat (outside) 5 access-list TEST outside
static (inside,outside) tcp 10.81.34.55 6005 access-list TEST1
static (inside,outside) tcp 10.81.34.55 6004 access-list PROD1

Enjoy,

Thanks to Hamzah Kardame who worked out this solution.

Thanks to Jephte Mwen for working with me to get this to work.

Willem