My interpretation for your syslog message seeing the source X.X.31.10 and destination it seems as icmp is comming perhaps from another router from the INSIDE of the ASA? can you provide info on your topology with regards to these two networks to help you better if there is a problem with communication between these two nets, but seems that source x.x.31.10 is from different source/network behind asa traversing the same INSIDE interface not directly connected to INSIDE, by which in this case if ou expect this hosts network x.x.31.0 to communicate with x.x.0.2 hots/network you will need to configure couple of nat exempt rules in addition to same security trafic intra interface command statemens.
Thanks for the reply. The 31.0 is an internal network and the 0.2 is and a remote site where the VPN terminates on the inside on a different router. The ICMP traffic is NMS related, but the 0.2 subnet does not exist. Is that why the portmap translation has failed?
This means there is no translation defined in the asa for this traffic between the two hosts going through asa INSIDE interface.
if you are terminating an Ipsec tunnel somewhere in your inside interface by another device as you indicated and want the far end of the tunnel talk to hosts on your ASA inside 31.0 traversing INSIDE interface sort of like a U-turn for the traffic you would need to allow that traffic in asa through nonat exempt rule.
this would be an example:
access-list nonat_traffic extended permit ip X.X.0.0 X.X.31.0
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :