Hello.
I have built a NAT and VPN tunnel in ASA5506.
I am having trouble getting a ping through after NAT.

If I do not do NAT and only IPsec, the ping will pass.
If I do NAT -> IPsec, it does not pass.
I used the NAT Traversal function, but ICMP packets do not pass.
Is it not possible to use anyany ip specification in the ACL?

The configuration is as follows.
PC1 -> L2SW -> ASA -> L3SW -> PC2
＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿＿
■PC1
IP: 10.223.2.95
NAT:10.120.66.201

■PC2
IP:192.168.10.67
NAT:10.223.14.1

■ASA5506

IP address
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.223.25.57 255.255.255.240
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.223.2.93 255.255.255.128
!
NAT
object network INSIDE
host 10.223.2.95
nat (inside,outside) static 10.120.66.201
!
object network OUTSIDE
host 192.168.10.67
nat (outside,inside) static 10.223.14.1
!
ACL
access-list outside_cryptomap extended permit ip object NAT_10.120.66.201 object HOST_192.168.10.67
access-list outside_in extended permit ip any any log warnings
access-list inside_in extended permit ip any any log warnings
!
Crypto
crypto isakmp nat-traversal 20
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
tunnel-group 10.173.107.65 type ipsec-l2l
tunnel-group 10.173.107.65 ipsec-attributes
ikev1 pre-shared-key *****
!

# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 10.173.107.65
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 10.223.25.57

access-list outside_cryptomap extended permit ip host 10.120.66.201 host 192.168.10.67
local ident (addr/mask/prot/port): (10.120.66.201/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.10.67/255.255.255.255/0/0)
current_peer: 10.173.107.65

#pkts encaps: 643, #pkts encrypt: 643, #pkts digest: 643
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 643, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 10.223.25.57/0, remote crypto endpt.: 10.173.107.65/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 24C76829
current inbound spi : 5FCF4770

inbound esp sas:
spi: 0x5FCF4770 (1607419760)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 169730048, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/26846)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x24C76829 (617048105)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 169730048, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373949/26846)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:

■L3SW cisco3560
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key **** address 10.223.25.57
crypto isakmp nat keepalive 20
crypto ipsec transform-set ASA-IPSEC esp-aes 256 esp-sha-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer 10.223.25.57
set security-association lifetime seconds 28800
set transform-set ASA-IPSEC
match address 100
!
interface GigabitEthernet1/0/1
switchport access vlan 10
!
interface Vlan10
ip address 10.173.107.65 255.255.255.0
ip nat outside
crypto map VPN
!
interface Vlan30
description watari
ip address 192.168.10.254 255.255.255.0
ip nat inside
!
ip nat inside source list 110 interface Vlan10 overload
!
access-list 100 permit ip host 192.168.10.67 host 10.120.66.201
access-list 110 permit udp any any eq isakmp
access-list 110 permit udp any any eq non500-isakmp
access-list 110 permit ip host 192.168.10.67 host 10.120.66.201
access-list 110 permit ip host 192.168.10.67 any
!
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.173.107.65 10.223.25.57 QM_IDLE 1049 ACTIVE
interface: Vlan10
Crypto map tag: VPN, local addr 10.173.107.65

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.67/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.120.66.201/255.255.255.255/0/0)
current_peer 10.223.25.57 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3319, #pkts decrypt: 3319, #pkts verify: 3319
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.173.107.65, remote crypto endpt.: 10.223.25.57
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan10
current outbound spi: 0x5FCF4770(1607419760)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x24C76829(617048105)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 37, flow_id: 37, sibling_flags 80000040, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4354327/26911)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x5FCF4770(1607419760)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 38, flow_id: 38, sibling_flags 80000040, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4354419/26911)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
_______________________________________________________________________________