Default route has been set i.e. route outside 0.0.0.0 0.0.0.0 ISP-Router-IP
Inside interface is 192.168.1.254
All internet access for local subnet i.e. inside interface works 100% however regional offices are unable to access the internet. This will be due to a seperate MPLS WAN router (192.168.1.253) which interconnects all our regional offices.
So I created static routes for each regional office on the ASA pointing back to the MPLS router.
Within the ASA I can ping regional offices with no issues but from a workstation (default gateway is ASA & not MPLS router) on same subnet as ASA I get request timed out.
When it comes to routing, ASA/PIX is not as smart as a Router. The route statement is meant to facilitate traffic flowing/passing THROUGH the firewall. It does not has ability to do traffic 'redirection'.
This explain why your workstation getting 'Request timed out' (RTO) when you ping your reqional offices as your workstation uses ASA as default gateway. When ICMP traffic destine for regional offices hits ASA, ASA can't redirect/send it back to your MPLS router. Hence, it will not process it and generates the "Deny inbound icmp src inside:192.168.1.1 dst inside:192.168.2.1 (type8, code 0)" log.
Normally, in your case, you need to have another router/L3 device to do routing between to handle traffic meant for internet and internal network. This router, for example, will be used as default gateway for all internal workstations.
In the router, set default route (all 0) to the ASA, and have a specific route (or dynamic routing) to your regional offices pointing to the MPLS router.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...