I asked this question yesterday when I (seemingly) couldn't get traffic across my router.
I've spent a lot of time since then with packet capturing, the ASA 5505 cli/ASDM and wireshark.
I've finally realised that my issue is that there are two entries to the LAN.
The LAN is 10.10.5.0/24, with a PDC (DHCP/DNS/etc) at 10.10.5.5, Watchguard Firewall at 10.10.5.1
One entry point has a Watchguard Firewall set up and it's purpose is to manage almost all of the traffic in our organisation. In fact, it does all the traffic except for one specific set.
Which is the other entry point, for a single client. That client's server is at 10.10.5.30 and the ASA 5505 router is 10.10.5.2 (bridged across a modem).
We run services on a number of our servers, on UDP 3000. For all the other servers, all internet, ftp and etc traffic we want it to go out the main Watchguard gateway. And it does.
But for that one server, I want just the port 3000-3002 UDP to go out through the ASA 5505. All UDP data from other servers (including port 3000-3002) is to go through the WG.
I've discovered that while the traffic is coming in through 10.10.5.2 (the ASA5505), the correct server, 10.10.5.30, is receiving the data, BUT then 10.10.5.30 is trying to send the ACK requests back across the 10.10.5.1 firewall.
The symptoms are that it looks like the ASA has no traffic going across it, and we aren't getting any flow. How can I force certain protocols and ports for this server across the ASA rather than the WG?
The ASA 5505 has NAT rules to forward all UDP straight to .30 and to drop everything else.
Important Notes: other servers are using the same protocol and port through the WatchGuard at 10.10.5.1, so I can't just push ALL the LAN's UDP port 3000 data out the one connection - I need to split it.
Update Essentially I need to create a route on the server 10.10.5.30 explicitly for UDP ports 3000-3002. I think. It is a Windows 2003 Server SP2
