No, it should be the peer address (VPN termination address/public IP), not the local address.

ASA 5520 logging:

172.33.0.50 is a server behind ASA 5505

Peer REMOTE_ITLISBOA:

peer address: 83.44.250.242

    Crypto map tag: Internet_dyn_map, seq num: 20, local addr: 195.77.188.150

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (172.17.1.218/255.255.255.255/0/0)

      current_peer: 83.44.250.242, username: SANTOSV

      dynamic allocated peer ip: 172.17.1.218

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 195.77.188.150/4500, remote crypto endpt.: 83.44.250.242/1135

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 4B42BB21

      current inbound spi : 4FD66423

    inbound esp sas:

      spi: 0x4FD66423 (1339450403)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 18817024, crypto-map: Internet_dyn_map

         sa timing: remaining key lifetime (sec): 28754

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x4B42BB21 (1262664481)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 18817024, crypto-map: Internet_dyn_map

         sa timing: remaining key lifetime (sec): 28754

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Peer REMOTE_LISBOA

There are no ipsec sas for peer 83.103.13.107

Thanks!

Sorry I copy/paste wrong peer IP. The results for REMOTE_LISBOA:

peer address: 87.103.13.107

    Crypto map tag: Internet_dyn_map, seq num: 20, local addr: 195.77.188.150

      local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (172.33.0.0/255.255.0.0/0/0)

      current_peer: 87.103.13.107, username: LISBOA

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 356775, #pkts encrypt: 356775, #pkts digest: 356775

      #pkts decaps: 565445, #pkts decrypt: 565445, #pkts verify: 565445

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 356775, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 195.77.188.150/4500, remote crypto endpt.: 87.103.13.107/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 93DE9FF8

      current inbound spi : 89D46CF0

    inbound esp sas:

      spi: 0x89D46CF0 (2312400112)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map

         sa timing: remaining key lifetime (sec): 21155

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x93DE9FF8 (2480840696)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map

         sa timing: remaining key lifetime (sec): 21155

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: Internet_dyn_map, seq num: 20, local addr: 195.77.188.150

      local ident (addr/mask/prot/port): (172.17.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (172.33.0.0/255.255.0.0/0/0)

      current_peer: 87.103.13.107, username: LISBOA

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 195.77.188.150/4500, remote crypto endpt.: 87.103.13.107/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: FFFB45DD

      current inbound spi : 1FAF3E00

    inbound esp sas:

      spi: 0x1FAF3E00 (531578368)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map

         sa timing: remaining key lifetime (sec): 21155

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0xFFFB45DD (4294657501)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map

         sa timing: remaining key lifetime (sec): 21155

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: Internet_dyn_map, seq num: 20, local addr: 195.77.188.150

      local ident (addr/mask/prot/port): (172.20.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (172.33.0.0/255.255.0.0/0/0)

      current_peer: 87.103.13.107, username: LISBOA

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 1048971, #pkts encrypt: 1048971, #pkts digest: 1048971

      #pkts decaps: 682079, #pkts decrypt: 682079, #pkts verify: 682079

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 1048971, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 195.77.188.150/4500, remote crypto endpt.: 87.103.13.107/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 7D1ADFC3

      current inbound spi : 18581F60

    inbound esp sas:

      spi: 0x18581F60 (408428384)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map

         sa timing: remaining key lifetime (sec): 21155

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x7D1ADFC3 (2098913219)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map

         sa timing: remaining key lifetime (sec): 21155

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: Internet_dyn_map, seq num: 20, local addr: 195.77.188.150

      local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (172.33.0.0/255.255.0.0/0/0)

      current_peer: 87.103.13.107, username: LISBOA

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 236, #pkts encrypt: 236, #pkts digest: 236

      #pkts decaps: 256, #pkts decrypt: 256, #pkts verify: 256

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 236, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 195.77.188.150/4500, remote crypto endpt.: 87.103.13.107/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 66520146

      current inbound spi : 8723F6AB

    inbound esp sas:

      spi: 0x8723F6AB (2267281067)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map

         sa timing: remaining key lifetime (sec): 21155

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x66520146 (1716650310)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map

         sa timing: remaining key lifetime (sec): 21155

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: Internet_dyn_map, seq num: 20, local addr: 195.77.188.150

      local ident (addr/mask/prot/port): (195.77.188.150/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)

      current_peer: 87.103.13.107, username: LISBOA

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 195.77.188.150/4500, remote crypto endpt.: 87.103.13.107/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 9EA2199F

      current inbound spi : F9A8CA16

    inbound esp sas:

      spi: 0xF9A8CA16 (4188588566)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map

         sa timing: remaining key lifetime (sec): 21152

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x9EA2199F (2661423519)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 18677760, crypto-map: Internet_dyn_map

         sa timing: remaining key lifetime (sec): 21152

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Yeeessss!!! You got it!!!

Disabling this NAT rule, works:

INTRANET_LISBOA destination static VPN_REMOTE_ACCESS VPN_REMOTE_ACCESS no-proxy-arp

Thanks a lot Jennifer.

Regards

David

Excellent, thanks for the update.