Hi

our command helped to identify the acl 

Thanks

Hi,

I have done packet tracing  , in packet trace  acl droped , but in syslog (attached) built connection ?

packet-tracer input outside udp globaloutside 53 global inside 58610

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in OUTSIDE-IP 255.255.255.255 identity

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via WANinterface-ip, Outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks

what are you trying to simulate with these port-numbers?

packet-tracer input outside udp globaloutside 53 global inside 58610

For a real simulation the destination port has to be 53. And which addresses are you using in the trace?

Hi,

I am getting dns amplification attack , that's why the source port is 53 (source is address is a public ip from outside and  destination is my auto nat ip address which is the outside interface ip of the firewall 

Thanks

> Just to understand ,from NAT-config how can we troubleshoot these kind of problems ? 

it just could be used to see if there is any configuration that allows this inbound traffic.