I am having some trouble getting l2nat working exactly the way I would expect on the IE4010.  From outside to inside, translation doesn't seem to happen for the source IP, only the destination.  I can get it working with proxy-arp on the public router and "allow all" on the l2nat config.  But I don't think that should be needed if translations is working. 

I am using gigabit 1/1 for the NAT.  Trying to reach 192.168.170.101 from 10.10.51.254. Here is the config:

l2nat instance Skid
instance-id 5
fixup all
outside from host 10.10.51.254 to 192.168.170.53
inside from host 192.168.170.101 to 10.10.62.18

interface GigabitEthernet1/1
description link-to-public
switchport trunk allowed vlan 163
switchport trunk native vlan 1
switchport mode trunk
l2nat Partswash Skid 163

interface GigabitEthernet1/12
description link-to-skid
switchport mode access
switchport access vlan 163

I cannot get it working without "permit all" which I wouldn't think I would need if translation is working.  I also need proxy-arp on the public router vlan 163 interface for it to work.

I saw this in the l2nat configuration guide and I was wondering if it is related?

https://www.cisco.com/c/en/us/td/docs/switches/lan/industrial/software/configuration/guide/b_l2_nat_ie.html

"On IE4010 and IE5000 platforms, when you configure an L2NAT instance on the downlink ports (Gig 1/1 – Gig 1/24), you must configure the “inside” and “outside” IP addresses in the corresponding translation maps in reverse order compared to a translation map on uplink ports (Gig1/25, 28 or TenGig 1/1 – 1/4)."

Anyone know what that means?