I find it difficult to fully understand your description of the issue. But I think I understand that the important part is that you want to forward broadcast packets of UDP port 5207 to 10.194.234.99 but not to 10.0.1.210 and you want to forward broadcast packets of UDP port 6001 to 10.0.1.210 but not to 10.194.234.99. Is that correct? Unfortunately I don't know of any way to do that. When you use multiple helper addresses to forward broadcasts to multiple destinations then helper address forwards copies of each broadcast to each of the configured destinations. I do not know of any way to make the forwarding selective.

I assume this means that you will not need the access list that you configured. But just in case you do want to use it for something I have these comments about the access list.

permit udp host 10.1.1.0 host 10.1.1.255

This line will look for packets with source address of 10.1.1.0 but there will be no packets with that source address. This is the network address for the subnet and no host will use that address.
permit udp host 10.1.1.87 host 10.156.51.99

This line has a source address that makes sense but I do not understand the destination address. There is no mention in your description of 10.156.51.99
permit udp host 10.1.1.99 host 10.0.1.210

This line is the only one that correctly relates to your configuration of helper addresses.

I will also point out that in an extended access list there is an implied las line which is deny any any. So if you apply this access list to interface vlan 100 as an inbound filter that only packets explicitly permitted will be forwarded and so all the other traffic from all the hosts in vlan 100 will be denied. 

You are correct.  My posted configuration is not what works.  I tried to sanitize it a bit and I think I might have confused the situation.  I will try to clarify what I am dealing with and the current results,  along with the unwanted artifacts on the two outside networks:

From the inside private network src: 10.1.1.99 dest 10.1.1.255 port 6001 broadcast UDP with ip-helper in vlan 100 of 10.0.1.210 & ip forward 6001, results in outside private network unicast udp output from G0/0/1 src: 10.0.1.33 dest: 10.0.1.99 port 6001 (this is intended).  I also have src: 10.194.234.1 dest 10.0.1.210 port 5207 packets on this network.  These packets are not wanted on this outside network.

From the inside private network src:10.1.1.87 dest 10.1.1.255 port 5207 broadcast UDP with ip-helper in vlan100 of 10.194.234.99 & ip forward of 5207, results in outside private network unicast udp output from G0/0/1 src: 10.194.134.1 dest of 10.194.234.99  port 5207 (works as intended). I also have src: 10.0.1.99 dest 10.194.234.99 port 6001 packets on this network.  These packets are not wanted on this outside network.

I'm looking for a way to selectively filter via access-list or some method the packets in bold from each outside private network.  I have attempted several iterations of extended access-list on the VLAN source, but it is unclear to me since it is a multillayer switch if this is the appropriate location for the access-list.  I have also attempted standard access-lists on the G0/0/0 and G0/0/1 ports, as well.  This had no change either.  I'm looking for any and all suggestions.  They are most welcome and appreciated!

Hi,

     You can't fix this with NAT or PBR, it's an inherent flaw of the "ip helper-address" feature which doesn't really have options. Both broadcast packets, so from both 10.1.1.99 and 10.1.1.87 will be wrapped into unicast and sent to both configured "helper-addresses"; if the traffic matches any other features, like NAT or QoS, or whatever else, it will apply those features but still leave the router. You have two solutions:

        - preferred one is to split the two hosts sending broadcasts into two different VLAN's and thus have one "helper-address" configured per VLAN

        - as a workaround, configure an outbound ACL on each of your egress interfaces and deny traffic which you want to forbid ( i also recommend to change your NAT segments to use UDP, since you're using the router's interface to statically NAT into)

ip access-list FIRST_EXIT

  deny udp host 10.0.1.33 host 10.194.234.99

  permit ip any any

!

interface  GigabitEthernet0/0/1

 ip access-group FIRST_EXIT out

!

!

ip access-list SECOND_EXIT

  deny udp host 10.194.234.1 host 10.0.1.210

  permit ip any any

!

interface  GigabitEthernet0/0/0

 ip access-group SECOND_EXIT out

Regards,

Cristian Matei.