Regarding ICMP alone you have not configured ICMP inspection though it seems that you have attached the same ACL to each interface (which should enable ICMP Echo reply without inspections). I would suggest making the "outside" interface its own ACL.
You could enable ICMP Inspections. I dont know why they are not enabled by default
inspect icmp error
If you want to try another type of Dynamic PAT configuration you could use
Is the IP address used in the PAT some other IP address than the "outside" interface IP address? It seems so though my above example uses the "outside" interface IP address using the parameter "interface".
In some cases the issue is caused because you are replacing a device for the firewall and the ARP table at the ISP points to the previous MAC address of the previous hardware device. ASA for PAT or NAT unless it is the interface IP address does proxy ARP for its translations.
Example of proxy ARP:
Proxy ARP (Address Resolution Protocol) is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network. The ARP Proxy is aware of the location of the traffic's destination, and offers its own MAC address in reply, effectively saying, "send it to me, and I'll get it to where it needs to go." Serving as an ARP Proxy for another host effectively directs LAN traffic to the Proxy. The "captured" traffic is then typically routed by the Proxy to the intended destination via another interface.
Put if the table on the ISP router already has an ARP entry it will not query for that address, meaning it will never route to the ASA unless it clears its ARP table and needs to ask again for that address.
and it worked! What is this part of the command actually doing - after-auto source dynamic ? Also at the end of the command there is the interface word. How does this know to use the Outside interface?
I guess the problem must have been with the public IP address used.
The above configuration I suggested simply condenced the same Dynamic PAT you had (except for the public IP address used perhaps, since we dont see the actual IP addresses used) to only one "nat" command.
The parameter "after-auto" simply means that this NAT configurations is supposed to be After Auto NAT configuration (also called Network Object NAT). This would make the NAT rule Section 3 while Auto NAT is Section 2. Without the "after-auto" parameter the rule would be Section 1. The reason for me to suggest that is simply because I tend to do normal Dynamic PAT configurations on lowest priority on the ASA which would be Section 3.
The "source dynamic" simply refers that we are configuring source parameters for the NAT and its a Dynamic type of NAT.
It knows to use the "outside" interface because its the destination target/destination interface for the "nat" configuration. If we reversed the interfaces in the beginning of the command (which wouldnt make sense but for examples sake) then the NAT would use the "inside" interface IP address.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :