Você precisará de arp permits-nonconnected ativado para o NAT funcionar corretamente.
arp permit-nonconnected
To enable the ARP cache to also include non-directly-connected subnets, use the arp permit-nonconnected command in global configuration mode. To disable non-connected subnets, use the no form of this command.
Usage Guidelines
The ASA ARP cache only contains entries from directly-connected subnets by default. When the no arp permit-nonconnected command is there (default behavior), the ASA rejects both incoming ARP requests and ARP responses in case the ARP packet received is in a different subnet than the connected interface.
Note that the first case (default behavior) causes a failure in case PAT is configured on the ASA and the virtual IP address (mapped) for PAT is in a different subnet than the connected interface.
Also, we do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attacks against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
- Secondary subnets.
- Proxy ARP on adjacent routes for traffic forwarding.
Examples
The following example enables non-connected subnets:
ciscoasa(config)# arp permit non-connected