Hello JP,

thanks for your answer, but this doesn't work. I've tried every thinkable combination about interfaces.

Again:

from HQ (ASA5510) to BRANCH (ASA5506) everything works.

from BRANCH to HQ the traffic from the BRANCH LAN (dynamic NAT) works too.

from Management-Interface (inside) of BRANCH to HQ doesn't work (needed for ntp and syslog)

from Network-object 172.21.1.1 to HQ works.

here's a "sh nat detail":

"

Manual NAT Policies (Section 1)
1 (any) to (any) source static INSIDE-IP BDHeim_MGMT destination static NAT_BVK NAT_BVK no-proxy-arp
translate_hits = 0, untranslate_hits = 335
Source - Origin: 172.30.2.4/32, Translated: 172.21.1.1/32
Destination - Origin: 192.168.220.128/25, Translated: 192.168.220.128/25

Auto NAT Policies (Section 2)
1 (any) to (any) source static BD_PRINTER PRINTER_NAT_IP
translate_hits = 0, untranslate_hits = 114
Source - Origin: 172.28.73.34/32, Translated: 172.21.1.20/32
2 (any) to (any) source dynamic BD_LAN Client_HIDE_IP
translate_hits = 37887, untranslate_hits = 0
Source - Origin: 172.28.0.0/16, Translated: 172.21.1.10/32"

I attach the "relevant" config of the BRANCH-ASA, maybe someone has a clue

Karl Gaigl,

I don't see the changes on the config, i still see any any on the nat which is not a best practice, can you change the any any for the source interface and destination interface of the nat (Branch,HQ).

After that can you run a packet tracer on the Branch ASA:

packet-tracer input Branch icmp 172.30.2.4 8 0 192.168.220.129 detail

Also i can see you are doing a nat of 172.20.2.4 to 172.28.73.34 is that right?

Can you also share the ACL applied on the cryptomap as interesting traffic and a show crypto ipsec sa peer <ip> on the Branch ASA?

Hope this info helps!!

Rate if helps you!! 

-JP-

sorry, had some days off:

1. if I restrict the nat-rule to (inside,outside) the traffic from HQ to Branch doesn't work anymore.

2. 

bduerkheim# packet-tracer input inside tcp 172.30.2.4 1111 192.168.220.133 123$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.x using egress ifc outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,any) source static 172.30.2.4 172.21.1.1 destination static 192.168.220.128 192.168.220.128 no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.220.133/123 to 192.168.220.129/123

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f063762d120, priority=501, domain=permit, deny=true
hits=128, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.30.2.4, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

Edit: i'm wondering about Phase 2: shouldn't be there "NAT"?

3: again: Ive got 2 more NAT- Rules:

object network 172.28.0.0/16
 nat (any,any) dynamic 172.21.1.10
object network 172.28.73.34
 nat (any,any) static 172.21.1.20

they are working properly and ssh from 192.168.220.133 to 172.21.1.1 also

other Question:

could it be, that the ASA doesn't nat traffic originated by itself? or by one of the interfaces?

Is there a way to create some "virtual" management-interface?

ok, I've made a sub-interface on the inside-if with the IP of the NAT-object.

so the problem, was, that the ASA doesn't translate traffic originated by it self.