Hi, my name is Thien.

My case is that I have configuration static NAT on the ASA allowing address 3.0.0.2 (f0/0- R2) to through the ASA (g0/3 4.0.0.254)

object network OUT_REAL
host 3.0.0.2
object network DMZ
host 4.0.0.10
nat (outside,DMZ) source static OUT_REAL DMZ

object network OUT_REAL
host 3.0.0.2
object network INSIDE
host 8.0.0.10
nat (outside,inside) source static OUT_REAL INSIDE

object network DMZ_REAL
host 4.0.0.1
object network OUT
host 3.0.0.10
nat (DMZ,outside) source static DMZ_REAL OUT

object network INSIDE_REAL
host 8.0.0.1
object network OUT
host 3.0.0.10
nat (inside,outside) source static INSIDE_REAL OUT

The problem started when I ping from an address other than 4.0.0.1 (from R4 have ip add 5.0.0.4 or another ip add not from R2).

I solved this problem by NATing at R2 :

ena
conf t
ip nat inside source static 5.0.0.4 3.0.0.2
int f0/0
ip nat outside
int s3/0
ip nat inside                 ---------------------> it's successfully

 I solved this problem by NAT at R2    --- If so, Asa can recognize this address to block it if this address is not on the allowed list access ? Because any address from router R4 has an output of R2 ? How can I help Asa recognize unwanted ip add ?