As I cannot connect to the ASA to initial any traffic for testing purposes, so I simulated the settings on our 2 PAs. The diagram is 172.16.4.241 is natted to 123.103.202.111 192.168.55.250 is natted to 78.152.42.166 SYD-PA config is 1. static routing to 78.152.42.166 point to the tunnel interface 2. outbound security policy is from trust zone 172.16.4.241 to ipsec zone 78.152.42.166, allow any 3. Inbound security policy is from IPsec zone 78.152.42.166 to trust zone 123.103.202.111, allow any 4. NAT policy is from trust zone to ipsec zone, 172.16.4.241 source NAT to 123.103.202.111, bi-direction is yes LDN-PA config is 1. static routing to 123.103.202.111 point to the tunnel interface 2. outbound security policy is from trust zone 192.168.55.250 to ipsec zone 123.103.202.111, allow any 3. Inbound security policy is from ipsec zone 123.103.202.111 to trust zone 78.152.42.166, allow any 4. NAT policy is from trust zone to ipsec zone. 192.168.55.250 source NAT to 78.152.42.166, bi-direction is yes my testing result on syd sw, ping 78.152.42.166 from 172.16.4.241, ping failed. I can see the ping log on SYD-PA and the log detail shows the NAT was triggered. I cannot see any logs from/to 123.103.202.111 on ldn-pa I started a pcap on ldn pa and I can see the icmp packets in drp.pcap and rcv.pcap I've no idea where the issue is...
... View more