I bought a new ASA 5505 and am having a bit of a problem configuring it in the way I need it.
192.168.1.0 /27 --> ASA --> 3524 switch --> 3725 (router on a stick) --> 3524 --> 192.168.2.0 /27
I have a 192.168.1.0 /27 network that I'm attempting to permit access to 192.168.2.0 /27. I set up a NAT exemption, a static route through another router, and same-security-traffic inter and intra interface commands. With this in place, I can ping hosts in the 2.x network from both the ASA and hosts in the 1.x network. When attempting to do anything else, sessions time out. I pulled up Wireshark on one of the machines in the 1.0 network and am seeing an odd sequence of events with the TCP handshake. When attempting to ssh to the 2.0 network, the PC will send a SYN with TCP sequence number 0 and will recieve a SYN/ACK with from the 2.x host with sequence number 0. Wireshark gives an error about seeing an ack to a segment it hasn't yet sent. This will happen for four attempts and the connection will be aborted on the 1.x host. I had a similar setup with a PIX 501, but never had this problem. I've read a whole slew of documentation on setting up NAT exemptions, but the only option I can find about TCP sequencing is the norandomseq option on the nat (inside) 0 access-list <access-list> command. However, it won't allow you to issue this command on a nat 0. Is there anything else I can do? What would possibly be resetting the sequence number here?