Cisco

How does P2P work through Cisco ASA?

Everyone loves the time of day!
Essence of a question:
Is Cisco ASA, there is a certain network behind it. There is a host on the network that is allowed to go out on several ports, to any addresses. Ports are standard - tcp/80,443,22,25,110, etc. - basic well-known services, in general. Plus, he needs to raise a P2P connection - udp / 8800,8802 are additionally open. Outside, everything is closed to him. The device itself is a video recorder.
He needs P2P to simplify access from the outside - roughly, a QR code is scanned from the screen by a mobile device through special software, and it is possible to establish a connection to the registrar from anywhere in the world.
And here it turns on P2P Enable. The device itself writes "connection successful". In the connections, I see that a connection is being established on the allowed ports, everything is in order:
------
UDP outside 154.93.87.103:8802 inside 172.20.1.91:54135, idle 0:00:31, bytes 932, flags -
UDP outside 154.93.87.103:8800 inside 172.20.1.91:45732, idle 0:01 :13, bytes 375, flags -
UDP outside 154.93.87.103:8800 inside 172.20.1.91:41747, idle 0:01:13, bytes 400, flags -
UDP outside 154.93.87.103:8800 inside 172.20.1.91:50484, idle 0 :01:25, bytes 72, flags -
UDP outside 154.93.87.103:8800 inside 172.20.1.91:35176, idle 0:01:29, bytes 72, flags -
UDP outside 154.93.87.103:8802 inside 172.20.1.91:36441, idle 0:01:22, bytes 4234, flags -
-------
Then I try to connect to it from the tablet, via the 3G network. And I manage to connect!
The connections themselves on the ASA already look like this:
------
UDP outside 78.25.122.127:42957 inside 172.20.1.91:34697, idle 0:00:20, bytes 88, flags -
UDP outside 78.25.122.127:42956 inside 172.20.1.91:34697, idle 0:00:20, bytes 88, flags -
UDP outside 78.25.122.127:42378 inside 172.20.1.91:50106, idle 0:00:38, bytes 792, flags -
UDP outside 78.25.122.127:18116 inside 172.20.1.91:54692, idle 0:01:17, bytes 792, flags -
UDP outside 154.93.87.103:8800 inside 172.20.1.91:38807, idle 0:00:01, bytes 72, flags -
UDP outside 154.93.87.103:8800 inside 172.20.1.91:34952, idle 0:00:05 , bytes 72, flags -
UDP outside 154.93.87.103:42956 inside 172.20.1.91:34697, idle 0:00:00, bytes 1852179, flags -
UDP outside 154.93.87.103:8800 inside 172.20.1.91:34697, idle 0:00 :20, bytes 72, flags -
UDP outside 154.93.87.103:8800 inside 172.20.1.91:50542, idle 0:00:21, bytes 72, flags -
UDP outside 154.93.87.103:8800 inside 172.20.1.91:50593, idle 0:00:24, bytes 72, flags -
------
where 78.25.122.127 is the external IP of my mobile internet.
I just can't figure out how the ASA allowed traffic to pass through ports that were in fact not allowed?
The thought arises about inspect. but which inspection works for P2P?