topic Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs) in Network Security

Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

mark.bell — Fri, 21 Feb 2020 16:01:26 GMT

Can someone please help me figure out why I can't ping from my Azure VM to any on-premises devices? I've added exclusions for ICMP in Windows Firewalls on both sides and can successfully ping from on-prem (i.e. 192.168.1.90) to an Azure VM (i.e. 10.0.0.1), but not the other way around. I've also added exclusions in Azure NSGs. All other traffic flows successfully. We are currently utilizing a Cisco ASA 5506-X with Firepower. We could ping in both directions when we were using the older ASA 5505, however the config for the two are a bit different (no VLANs on the 5506, using BVI).

Here is my config (anything marked [removed] I deemed sensitive):

Result of the command: "show run"

: Saved

:
: Serial Number: [removed]
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname ciscoasa
domain-name [removed]
enable password [removed]
xlate per-session deny tcp any4 any4
names

!
interface GigabitEthernet1/1
description Comcast
nameif outside
security-level 0
ip address [removed] 255.255.255.248
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
description [Removed] Network
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
boot system disk0:/asa982-lfbff-k8.SPA
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 8.8.8.8
name-server 8.8.4.4
domain-name [removed]
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-network
subnet 192.168.1.0 255.255.255.0
object network azure
subnet 10.0.0.0 255.255.0.0
object network DHCP_server
host 192.168.1.10
object service tcp44434
service tcp destination eq 44434
description RDP
object network OutsideInterface
host [removed]
object service RDP-Service
service tcp source eq [removed]
object network AzureDC1
host 10.0.0.4
object service ICMPv4
service icmp echo 0
object-group network azure-networks
network-object object azure
object-group network onprem-networks
network-object 192.168.1.0 255.255.255.0
object-group service rdp tcp
port-object eq [removed]
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip host [removed] host [removed]
access-list outside_access_in remark Ping
access-list outside_cryptomap extended permit ip object-group onprem-networks object-group azure-networks
access-list outside_nat extended permit tcp any host [removed] eq [removed]
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object azure
access-list OUTSIDE extended permit icmp any any
access-list inside_6_access_in extended permit ip any any
access-list inside_6_access_in extended permit icmp any any
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside_2
icmp permit any inside_5
icmp permit any inside_6
icmp permit any inside
asdm image disk0:/asdm-782-151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside_1,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
nat (inside_2,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
nat (inside_3,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
nat (inside_4,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
nat (inside_5,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
nat (inside_6,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
nat (inside_7,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_6_access_in in interface inside_6
route outside 0.0.0.0 0.0.0.0 [removed] 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
user-identity ad-agent active-user-database on-demand
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 1318
sysopt connection preserve-vpn-flows
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256Azure
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group24
crypto map outside_map1 1 set peer [removed]
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256Azure
crypto map outside_map1 1 set security-association lifetime seconds 3600
crypto map outside_map1 1 set security-association lifetime kilobytes 102400000
crypto map outside_map1 interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca [removed]
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 24
prf sha
lifetime seconds 28800
crypto ikev2 enable outside
crypto ikev2 enable inside_1
crypto ikev2 enable inside_2
crypto ikev2 enable inside_3
crypto ikev2 enable inside_4
crypto ikev2 enable inside_5
crypto ikev2 enable inside_6
crypto ikev2 enable inside_7
crypto ikev2 enable inside
crypto ikev1 enable outside
crypto ikev1 enable inside_1
crypto ikev1 enable inside_2
crypto ikev1 enable inside_3
crypto ikev1 enable inside_4
crypto ikev1 enable inside_5
crypto ikev1 enable inside_6
crypto ikev1 enable inside_7
crypto ikev1 enable inside
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside_1
telnet 192.168.1.0 255.255.255.0 inside_2
telnet 192.168.1.0 255.255.255.0 inside_3
telnet 192.168.1.0 255.255.255.0 inside_4
telnet 192.168.1.0 255.255.255.0 inside_5
telnet 192.168.1.0 255.255.255.0 inside_6
telnet 192.168.1.0 255.255.255.0 inside_7
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside_1
ssh 192.168.1.0 255.255.255.255 inside_2
ssh 192.168.1.0 255.255.255.255 inside_3
ssh 192.168.1.0 255.255.255.255 inside_4
ssh 192.168.1.0 255.255.255.255 inside_5
ssh 192.168.1.0 255.255.255.255 inside_6
ssh 192.168.1.0 255.255.255.255 inside_7
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 75.75.75.75 75.75.76.76
dhcpd domain [removed]
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
username [removed]
username [removed]
tunnel-group [removed] type ipsec-l2l
tunnel-group [removed] general-attributes
default-group-policy GroupPolicy1
tunnel-group [removed] ipsec-attributes
ikev2 remote-authentication pre-shared-key [removed]
ikev2 local-authentication pre-shared-key [removed]
no tunnel-group-map enable ou
!
class-map class-default-settings
match default-inspection-traffic
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect icmp
policy-map global-policy
class class-default-settings
inspect icmp
policy-map class-default
class global-class
inspect icmp
!
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [removed]
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:426c1042e5da8735c3d46dba6a161aec
: end

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

Ben Walters — Thu, 26 Jul 2018 19:45:26 GMT

Have you tried running a packet-tracer test for icmp traffic from both ingress and egress on the firewall?

Here is the syntax:

packet-tracer input <inside-interface-name> icmp <source-ip> 0 0 <destination-ip>

It should give you a detailed explanation of what happens to the traffic entering and exiting the firewall. If all phases pass then we know the firewall isn't to blame on this issue.

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

Sergio Ceron Ramirez — Thu, 26 Jul 2018 20:03:43 GMT

Hi, I see your traffic should go through a VPN tunnel towards the Azure VMs. A packet tracer will let you know if traffic is going encrypted through the tunnel on a phase, but may not let us know if it is dropped by a rule, or something similar.

I would suggest to additionally take some asp captures (capture asp type asp-drop all match host [src-OnPrm-host] host [dst-Azure-host]

This will give us more information on the drop reason for that specific traffic.

Additionally, have there been any other changes apart from the asa5505 to asa5506 that we should be aware of?

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

mark.bell — Thu, 26 Jul 2018 20:15:06 GMT

Result of the command: "packet-tracer input inside_6 icmp 10.0.0.4 0 0 192.168.1.90"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.90 using egress ifc inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_6_access_in in interface inside_6
access-list inside_6_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 883583, packet dispatched to next module

Result:
input-interface: inside_6
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

mark.bell — Thu, 26 Jul 2018 20:16:54 GMT

No other major changes between the 5505 and 5506 that I'm aware of. It might be pertinent to know that this Site-to-Site VPN is using policy-based traffic selectors (it is route-based VPN but must utilize the policy-based traffic selectors to make it work).

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

Ben Walters — Thu, 26 Jul 2018 20:32:06 GMT

When you look at the results you can see the output interface is your inside BVI interface, when it should be the outside interface.

In phase 2 route lookup it is saying the next hop is your 192.168.1.90 address which resides on the inside interface. Your 0.0.0.0 route should use the gate way address that is on your outside Comcast interface for traffic to be routed to the outside of the ASA.

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

mark.bell — Thu, 26 Jul 2018 20:32:10 GMT

This capture might be more pertinent since we're dealing with a VPN:

Result of the command: "packet-tracer input outside icmp 10.0.0.4 8 0 192.168.1.90"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside_1,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
Additional Information:
NAT divert to egress interface inside_1
Untranslate 192.168.1.90/0 to 192.168.1.90/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit icmp any4 any4
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside_1,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
Additional Information:
Static translate 10.0.0.4/0 to 10.0.0.4/0

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit icmp any4 any4
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside_1
output-status: down
output-line-status: down
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

Ben Walters — Thu, 26 Jul 2018 20:39:16 GMT

I just realized that your inside packet tracer had the IP addresses reversed.. so your source was 10.x and dest was 192.x which would be why the routing looked incorrect.

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

mark.bell — Thu, 26 Jul 2018 20:47:03 GMT

I'm definitely not an expert on this equipment. What change would you suggest I make and could you help me out with the command?

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

mark.bell — Thu, 26 Jul 2018 20:49:20 GMT

I'm having trouble pinging 192.168.1.90 from 10.0.0.4. Not the other way around. I can ping 10.0.0.4 from 192.168.1.90 all day long. The 10.0.0.4 is an Azure VM. The 192.168.1.90 is my on-prem machine.

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

mark.bell — Thu, 26 Jul 2018 20:54:24 GMT

Result of the command: "packet-tracer input inside_6 icmp 192.168.1.90 0 0 10.0.0.4"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside_6,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.0.4/0 to 10.0.0.4/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_6_access_in in interface inside_6
access-list inside_6_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside_6,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
Additional Information:
Static translate 192.168.1.90/0 to 192.168.1.90/0

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (any,outside) dynamic interface
Additional Information:
Static translate 192.168.1.90/0 to 192.168.1.90/0

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 12
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 16
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 17
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 18
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 19
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside_6,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
Additional Information:

Phase: 20
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 911015, packet dispatched to next module

Result:
input-interface: inside_6
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

This shows the ping is working from 192.168.1.90 to 10.0.0.4, correct?

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

Sergio Ceron Ramirez — Thu, 26 Jul 2018 20:55:50 GMT

At the end of each NAT, please add the following keywords: no-proxy-arp route-lookup

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

Sergio Ceron Ramirez — Thu, 26 Jul 2018 20:56:10 GMT

just the static ones towards Azure.

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

mark.bell — Thu, 26 Jul 2018 21:07:05 GMT

Thank you. Can you explain why it worked?

Re: Can't figure out why I can't ping from Azure VM to on-prem network (all other traffic flows and can ping from on-prem to VMs)

Sergio Ceron Ramirez — Fri, 27 Jul 2018 02:43:30 GMT

In your scenario, I think that the no-proxy-arp command made the job, since your routing table is very simple, composed of a default route and directly connected networks. NAT commands override the routing table by default; and the use of 'route-lookup' will look directly into the routing table entries for the best match when using wide open ranges on the mapped objects. In this scenario, one way or the other the traffic will be routed through the proper 'outside' interface.

Normally for identity NAT, proxy ARP is not required, and in some cases can cause connectivity issues. For example, if you configure a broad identity NAT rule for "any" IP address, then leaving proxy ARP enabled can cause problems for hosts on the network directly-connected to the mapped interface. In this case, when a host on the mapped network wants to communicate with another host on the same network, then the address in the ARP request matches the NAT rule (which matches "any" address). The ASA will then proxy ARP for the address, even though the packet is not actually destined for the ASA. (Note that this problem occurs even if you have a twice NAT rule; although the NAT rule must match both the source and destination addresses, the proxy ARP decision is made only on the "source" address). If the ASA ARP response is received before the actual host ARP response, then traffic will be mistakenly sent to the ASA.

Let me know if this clarifies why it worked.