Recently I was at a client site where I created new access rules that looked good and should have been working. In order to troubleshoot why my rules were not working, I used the packet-tracer command for testing (ips have been changed). I was able find another rule that was blocking me. Once I removed that rule, I retested via packet-tracer satisfactory and I was able to access externally.
fw5540(config)# packet-tracer input outside tcp 8.8.8.8 80 10.192.37.242 3389
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SC_Stock
nat (dmz,outside) static SC_Stock_External
Additional Information:
NAT divert to egress interface dmz
Untranslate test_External/3389 to 192.168.1.82/3389
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended deny ip any any log
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
So as you can see the SC_Stock rules were blocking me
***************************************************************
Below I retested satisfactory.
fw5540# packet-tracer input outside tcp 8.8.8.8 80 10.192.37.242 3389
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SVR_NT4
nat (inside,outside) static 10.192.37.242 service tcp 3389 3389
Additional Information:
NAT divert to egress interface inside
Untranslate 10.192.37.242/3389 to WEBSVR1/3389
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any4 object SVR_NT4 eq 3389
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SVR_NT4
nat (inside,outside) static 10.192.37.242 service tcp 3389 3389
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 139687922, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow