Hello,

I ran the following packet tracer using a destination on the Inside with private IP and I'm trying to understand what rule its specifically referencing when it say's the flow was dropped. 

firepower# packet-tracer input outSIDE udp 69.185.96.215 1025 10.83.200.25 3544 detaild

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 30708 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffbc3df5f0, priority=1, domain=permit, deny=false
hits=281051874026, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=OUTSIDE, output_ifc=any

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 36679 ns
Config:
Additional Information:
Found next-hop 10.180.0.201 using egress ifc INSIDE(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 14714 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit udp any range 1025 65535 any eq 3544 rule-id 268453998
access-list CSM_FW_ACL_ remark rule-id 268453998: PREFILTER POLICY: FASTPATH
access-list CSM_FW_ACL_ remark rule-id 268453998: RULE: DEFAULT TUNNEL ACTION RULE
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0xffa81d3180, priority=12, domain=permit, deny=false
hits=13460, user_data=0xffddd42b00, cs_id=0x0, use_real_addr, flags=0x0, protocol=17
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=3544, tag=any, ifc=any, vlan=0,
src nsg_id=none, dst nsg_id=none

sport range<0> : 1025-65535 dscp=0x0, input_ifc=any, output_ifc=any

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 14714 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffa85d57b0, priority=7, domain=conn-set, deny=false
hits=1858687396, user_data=0xffa85d3340, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=OUTSIDE(vrfid:0), output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 14714 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffc096c720, priority=0, domain=nat-per-session, deny=true
hits=6688481459, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 14714 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffbc3e5970, priority=0, domain=inspect-ip-options, deny=true
hits=5318748547, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=OUTSIDE(vrfid:0), output_ifc=any

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Elapsed time: 62269 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffbe9871d0, priority=20, domain=lu, deny=false
hits=930072487, user_data=0x0, cs_id=0x0, flags=0x0, protocol=17
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=OUTSIDE(vrfid:0), output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Elapsed time: 3412 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffb4c5fab0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=1328718509, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=OUTSIDE(vrfid:0), output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 14501 ns
Config:
nat (INSIDE,OUTSIDE) source dynamic any interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0xffc0c80080, priority=6, domain=nat-reverse, deny=false
hits=24377256, user_data=0xffc0c75990, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=OUTSIDE(vrfid:0), output_ifc=INSIDE(vrfid:0)

Result:
input-interface: OUTSIDE(vrfid:0)
input-status: up
input-line-status: up
output-interface: INSIDE(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 191925 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aaad882920 flow (NA)/NA

when running it this way my hit counter increases on the rule id 268453998. However, if I run this same packet tracer using my public IP as the destination I get the following output and my hit count doesn't go up. 

Phase: 1
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 30423 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffc096c720, priority=0, domain=nat-per-session, deny=true
hits=6688965993, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 30423 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffbc3e0a00, priority=0, domain=permit, deny=true
hits=79288593, user_data=0xb, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=OUTSIDE(vrfid:0), output_ifc=any

Result:
input-interface: OUTSIDE(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Time Taken: 60846 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aaad87a248 flow (NA)/NA

Why is that and how can I figure out what rule this hit?

Thanks