My customer has an ASA running 7.2.2, a Cisco 2950 switch and a Cisco 2621XM, the router is located at the outside interface of the ASA, which IP subnet is 172.16.1.0/24. End users and a FTP client are behind the ASA, that means all the clients are located at the Inside interface, which IP subnet is 192.168.2.0/24. The 2950 switch has multiple VLAN for different zones for the router and ASA's physical connections.
In this network, all the users need to access the other network through the ASA then router, ASA will perform NAT. There was a static NAT entry to map 172.16.1.1 to 192.168.2.1, then the same global IP 172.16.1.1 also be the PAT for subnet 192.168.2.0/24. Firewall policy is permit IP any any.
The problem is that when the users connects to remote site, I can see static & dynamic NAT entries created in NAT table and the traffic is permitted, but the connection status is always "saA" shown in "show conn", until I plug a laptop at the VLAN which is for the outside interface of ASA and the 2621XM, laptop's IP address is 172.16.1.x, all the connections can be created smoothly.
But when I unplug the laptop's network cable, the connection fails again.
Anyway, there is no any IP conflict, my laptop's IP address is not in the scope of ASA's NAT pool.