Question : Still having issues pinging from one subnet to another through ASA 5510

Hi all, this is in reference to a previous post here: LINK

I am trying to ping from host on my 172.16 network over to hosts on a 192.168.100.0 network

The interfaces are like this:

Inside: 172.16.20.20
outside: 200.200.200.200
OTHER: 192.168.20.5

beyond the OTHER interface is the 192.168.100.0 subnet that I need to be able to connect to and ping from my inside hosts.

I can ping everything from within the ASA inside interface (telnet), however my hosts cannot ping through.  I can ping the inside interface just fine from my hosts.  

The route on my ASA has been added and is like so:

route (OTHER) 192.168.100.0 255.255.255.0 192.168.20.5 (syntax may be incorrect, but the route works as I can ping 192.168.100.x from the ASA.  Before I added the route I couldn't.  

Currently my access-lists are set to permit ip any any in on the inside interface and the same on the OTHER interface.

The security level on the OTHER interface and the inside interfaces are both 100.  

I have tried to turn on nat control and setup a static (inside,OTHER) 172.16.20.0 172.16.20.0 and that seems to work, but when I run the packet tracer I cannot get a NAT translation from the OTHER interface to inside.

So basically: static (inside, OTHER) 172.16.20.0 172.16.20.0 netmask 255.255.254.0
and: nat (inside) 0 interface

However, since I have everything on the same security level, I suppose that my ACL's are not being used, and I shouldn't have to NAT anything.  So when I turn NAT control off, I cannot ping anything, but again, it still works within the ASA.  This is what makes me think that this is an ACL issue.

Shouldn't I allow ip outbound the OTHER interface to be able to ping to the 192.168.100.0 network?
If I were to do NATing, why wont it allow the reverse translation when I use a global NAT like so:

nat (inside) 1 172.16.20.x
global (OTHER) 1 interface

I have tried the above and it does work for my hosts to ping, but again, the packet tracer shows no translation when I run the trace from OTHER: SRC: 192.168.100.2 to 172.16.20.1 and from OTHER: SRC: 192.168.20.1 to 172.16.20.1

I hope that I have provided enough info on this.  Again, I can post my current config, but it is linked at the top, and right now I have taken out all nat statements and turned off nat-control and am allowing ip any to any on my ACL's and my access groups both point in on the inside interface and OTHER interface.  If I am doing something wrong on NAT'ing then please let me know.

LRMoore, if you could chime in on this then that would be awesome.  I didn't quite get your post in my last question.  

Thanks in advance for your help.

Answer : Still having issues pinging from one subnet to another through ASA 5510

The NAT 0 command access-list causes traffic that matches the access-list to go through untranslated

You only need to have the NAT 0 statement on one of the pairs of interfaces in order for it to work in both directions. Security levels high to low allow traffic in that direction (from high to low) without the need for more granular access-list although they can of course be used to control high to low traffic. Low to high requires an ACL to permit traffic.

So you have 3 things going on -
NAT 0 - used to turn off nat where it isn't needed
Security Levels - High to Low is permitted
ACL's - used to provide more granular control of High to Low traffic where needed and to provide control of traffic from Low to High