Following is the output from packet tracer

ciscoasa# packet-tracer input inside tcp 192.168.3.22 1234 4.2.2.2 80 detail

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb12af48, priority=1, domain=permit, deny=false

        hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.3.0     255.255.255.0   inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb202db8, priority=13, domain=permit, deny=false

        hits=0, user_data=0xc9234ab0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source dynamic Generic_All_Network interface

Additional Information:

Dynamic translate 192.168.3.22/1234 to 192.168.100.2/1234

Forward Flow based lookup yields rule:

in  id=0xcb1fcee0, priority=6, domain=nat, deny=false

        hits=0, user_data=0xcb1fc080, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=outside

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc7669ae8, priority=1, domain=nat-per-session, deny=false

        hits=0, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=any, output_ifc=any

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb1baae8, priority=0, domain=inspect-ip-options, deny=true

        hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 8

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb1e86f8, priority=0, domain=host-limit, deny=false

        hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 9

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source dynamic Generic_All_Network interface

Additional Information:

Forward Flow based lookup yields rule:

out id=0xcb1fd6f0, priority=6, domain=nat-reverse, deny=false

        hits=1, user_data=0xcb1fc138, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=outside

Phase: 10

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xc7669ae8, priority=1, domain=nat-per-session, deny=false

        hits=2, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=any, output_ifc=any

Phase: 11

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xcb1e3f10, priority=0, domain=inspect-ip-options, deny=true

        hits=1, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=outside, output_ifc=any

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Well, the packet is allowed through the ASA, which leads me to believe this is a routing issue on the router...or more acurately, this is a NAT issue on the ASA.  Really depends on how you want to look at it.

Why are you NATing on the ASA when you have a router between the ASA and the internet?

I suspect that the router has an incorrect route with regards the inside network being NATed.  If the router is managed by you, then I suggest removing all NAT configuration on the ASA and perform NAT on the router.

--
Please remember to rate and select a correct answer

If packet is allowed through ASA then how is it NAT issue?

Please see below trace for icmp its dropped.

ciscoasa(config)# packet-tracer input inside icmp 192.168.3.22 12 34 4.2.2.2 d$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.3.0     255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb202db8, priority=13, domain=permit, deny=false

        hits=2, user_data=0xc9234ab0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network inside_hosts

nat (inside,outside) dynamic interface

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb200698, priority=6, domain=nat, deny=false

        hits=1, user_data=0xcb1fc1f0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=outside

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcab4fd00, priority=0, domain=nat-per-session, deny=true

        hits=0, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=any, output_ifc=any

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb1baae8, priority=0, domain=inspect-ip-options, deny=true

        hits=3, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb7774d0, priority=70, domain=inspect-icmp, deny=false

        hits=1, user_data=0xcb7769f8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb1ba5e8, priority=66, domain=inspect-icmp-error, deny=false

        hits=1, user_data=0xcb1b9bf8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 9

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb1e86f8, priority=0, domain=host-limit, deny=false

        hits=3, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Does 192.168.3.0/24 requires any route in the Router because it will be NAT with outside interface. first

ASA required to create an IPSEC tunnel, but first need to resolve NAT issue.

Message was edited by: Rizwan Siddiqi

problem is in this phase

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcab4fd00, priority=0, domain=nat-per-session, deny=true

        hits=0, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=any, output_ifc=any

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb1baae8, priority=0, domain=inspect-ip-options, deny=true

        hits=3, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=any

could you post the output of the command please:

show service-policy inspect ip-options

--
Please remember to rate and select a correct answer

Also check your logs when you ping the router.  This could give some helpful pointers as to what is dropping the packet.

--
Please remember to rate and select a correct answer

Fiber is terminating at router.

ciscoasa(config)# show service-policy inspect ip-options

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0, v6-fail-close 0

        Router Alert:  allow 0, clear 0

I ping from inside interface and get following output

ciscoasa(config)# ping

TCP Ping [n]:

Target IP address: 192.168.100.1

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:

%ASA-6-110003: Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.3.1/0 to inside:192.168.100.1/0

?????

Success rate is 0 percent (0/5)

ciscoasa(config)# %ASA-5-111008: User 'enable_15' executed the 'ping' command.

%ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'ping'

ciscoasa(config)#

Do you have any idea about nat-per-session for icmp because for it deny = true see below output

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcab4fd00, priority=0, domain=nat-per-session, deny=true

        hits=0, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=any, output_ifc=any

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb1baae8, priority=0, domain=inspect-ip-options, deny=true

        hits=3, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

        input_ifc=inside, output_ifc=any