I have two firewalls and a host I am trying to ping from one firewall through the other (both ASAs). I can't ping the host when using policy nat.

A simple topology looks like this

ASA1-----172.25.91.160 /27------ASA2--------host 172.25.92.73

The interfaces on the 172.25.91.160 /27 network are called "SOS". The interface where the host 172.25.92.73 resides is called "ASA-TRANS"

icmp is allowed on the firewall interfaces like so. 

icmp permit any SOS

icmp permit any echo-reply SOS

I set up objects and then a policy NAT on ASA2 like so

nat (ASA-TRANS,SOS) source static obj-172.25.92.73 obj-172.25.91.172 destination static obj-172.25.91.161 obj-172.25.91.161 no-proxy-arp

so the internal host appears as if it is on the 172.25.91.160 /27 network.

I then created an ACL on the SOS interface allowing icmp echo/echo-reply on the SOS interface from anywhere.

Both SOS interfaces are set to security level 50

When I try to ping from ASA1, the firewall never even attempts to contact 172.25.91.172. It immediately bombs out with no log message. Just question marks.

When I ping from the internal host 172.25.92.73 to ASA1 at 172.25.91.161, I see the icmp echo packets hit the SOS interface, but nothing is going back. Again, the firewall won't respond to the host, even though icmp is enabled on the interface. I even put a permissive ACL on the firewall interface allowing everything, but no reply.

If I go into ASDM and do a packet trace, it tells me the packet should be allowed without any issues. If I configure other hosts using traditional NAT (not policy), I have problem pinging through ASA2.

Is there something wrong with this policy nat? Some reason firewall ASA1 can't see the host?