Hello,

I post this message because I encounter a problem with my Cisco ASA

Quick Schema:

Plan:

The network 10.0.2.0 must have access to:
- Internet via the interface 10.0.1.1
- Client network 10.0.3.0 via a Citrix connection

Internet access:
- NAT rule:
global (outside) 1 interface
nat (inside) 1 10.0.2.0 255.255.255.0

- Default route:
Outside route 0.0.0.0 0.0.0.0 10.0.1 1 1


Network Access Client:
- Added the way to the client network that has no IP interface on the FW:
route inside 10.0.3.0 255.255.255.0 10.0.2.1 1

- Order same-security-traffic permit intra-interface to enter and exit from the same interface.

- Adding a NAT Exempt to join the client:
Access-list extended permit ip 10.0.2.0 IN_NAT_0 10.0.3.0 255.255.255.0 255.255.255.0
I'm not sure that this rule is necessary ...


Result:
From the LAN 10.0.2.0, I go on internet with NAT rule but i can't connect to the network client 10.0.3.0.
For info:
- NAT for the client network is managed by the client router.
- When I add the route10.0.3.0 255.255.255.0 10.0.2.1 directly on client PC, il doesn't pass through the firewall and it works.

So, there is a problem with my FW config.

Logs:
Errors: portmap translation creation failed for udp src inside: 10.0.2.10 / X dst inside: 10.0.3.X / X
I don't understand the link with my problem...

Config ASA:
I reset the config and i have not others config on the FW

Questions?
Should I add specific commands to access a network that is not directly connected to the FW from a network who is?
Normally, with  the command same-security-traffic permit intra-interface, you can enter  and exit through the same interface...

Thank you in advance for your help and sorry for my poor english!