Dear All,

I have configured my two asa5520 with: failover Acive/Active,

multiple context mode

All work fine except for the policy nat, I have configured it in this way:

access-list FRTEND2_TO_SHARED extended permit tcp host 192.168.233.69 any

static (front_end_d,outside) 50.70.60.19 access-list FRTEND2_TO_SHARED

I tested the policy nat:

packet-tracer input front_end_d tcp 192.168.233.69 25 50.70.60.13 25

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 50.70.60.0 255.255.255.192 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: inspect-smtp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect esmtp _default_esmtp_map

service-policy global_policy global

Additional Information:

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (front_end_d,outside) 50.70.60.19 access-list FRTEND2_TO_SHARED

nat-control

match tcp front_end_d host 192.168.233.69 outside any

static translation to 50.70.60.19/0

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: DROP

Config:

nat (front_end_d) 0 0.0.0.0 0.0.0.0

nat-control

match ip front_end_d any outside any

no translation group, implicit deny

policy_hits = 4

Additional Information:

Result:

input-interface: front_end_d

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Why the phase 7 fails?If I use a static nat without policy nat it works fine.

Thanks and Regards,

Igor.