We're having some troubles with VPN users behind an ASA5520 fw.
Topology is someting like this:
Usr --- |ASA5520| ------> |cloud| ------|ASA5550-VPN|----|resources|
- The user do connect to the net and he starts browsing and using services.
- The user starts an ipsec tunnel with Cisco VPN client
- He lost conectivity to anywhere. User is virtually unconnected.
We made a test with this topology:
Usr ---------> |cloud| ------|ASA5550|----|resources|
And VPN goes fine. Everything works.
So, to find out what can be the problem, we captured packages on both ASA.
Packet from the user come through the 5520 and go to 5550.
Next, packets returns from ASA5550 to ASA5520, but they doesn't go to the client.
If a take a look to the logs, it shows that ASA5520 is dropping ESP packets that came from ASA5550 by the default deny rule (the last one):
%ASA-6-106100: access-list access-outside-in denied 50 outside/220.127.116.11(0) -> inside/18.104.22.168(0) hit-cnt 1
So, we put a rule in the outside iface of the 5520 that let pacjets pass and now they go to the user and everything works fine.
The problem is that we can't start writing access rules that permit ESP traffic for any IPSec tunnel server that is outside the 5520