thanks for the reply, please find attached the config, I have changed the original IP addresses.

Thanks,

If the following is correct: * the rules on the outside interface to allow traffic from any to Fortigate-IP on ICMP,http, https

Then this is the issue.  You need to change this access rule to be towards CD-BFS-NORTH.

Hi,

Thanks for the reply.

that's why I called my enquiry "ASA NATing doesn't seem to work".

when I change the destination in the rule to CD-BFS-NORTH , the traffic denied by ACL.

I have attached packet tracer for the rules when the destination CD-BFS-NORTH and Fortigate-IP.

my understanding that the ASA should first check the NAT before the interface ACL , but that doesn't seem to happen.

Can someone advise ?

Hi,

What version of ASA code are you running?

its 9.1(7)13

Is there a reason you are using twice NAT for this? Also, it is always a good practice to specify which interfaces you are NATing between and do not use the any keyword for interface selection.  I would suggest changing the NAT to something like the following (change the interface names if needed):

nat (INSIDE,OUTSIDE) source static CD-BFS-NORTH Fortigate-IP

Hi Marius,

thanks so much for the reply

there is no particular reason to do the twice NAT , I was just trying everything to make it  work.

the command line you have suggested is already there:

(EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP

Regards,

Could you post a full running configuration for your ASA (remember to remove any public IPs, usernames and passwords).

Hi Marius,

thanks for you help so far

this firewall is old one and the configuration file is very big, hiding all the secure info will take long time, I am more than happy to share the config partially, like show run interface , show run nat ..etc.

Regards

Without seeing more config it's hard to 100% diagnose but it just looks like you have your NAT commands around the wrong way, because you're stating outside>any and not the other way around. I would suggest removing the twice NAT and just adding a rule for this server such as the one you've already mentioned, assuming that the Fortigate is behind the EVL_VPN interface.

(EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP

Run packet-tracer again and see if this NAT rule is hit. If you want to try it another way try changing your other rule around:

42 (OUTSIDE) to (<ZONE THAT CONTAINS FORTIGATE>) source static any any destination static CD-BFS-NORTH Fortigate-IP no-proxy-arp

Could you please provide the output of the following commands:

show run nat | include CD-BFS-NORTH

show run access-list | include CD-BFS-NORTH  !(If you are using IPs instead of objects replace with IP)

Also, provide a brief description / diagram of your network and where the IPs are located that you are trying to NAT.

Hi Both,

I have deleted the double Nating , and added CD-BFS-NORTH instead of Fortigate-IP in the rules, the firewall is denying the traffic.

please find attached the commands output and a little diagram

Thanks for your efforts to help 

You still have twice NAT configured...unless this is the one you have removed.

nat (OUTSIDE,any) source static any any destination static Fortigate-IP CD-BFS-NORTH object network CD-BFS-NORTHW

I suggest removing this and replacing it with the command I provided earlier.

nat (EPL_VPN,OUTSIDE) source static CD-BFS-NORTH Fortigate-IP

It is a better practice to NAT from the inside to the outside unless there is a very specific reason for you to NAT from the outside.