My customer has an ASA running 7.2.2, a Cisco 2950 switch and a Cisco 2621XM, the router is located at the outside interface of the ASA, which IP subnet is 172.16.1.0/24. End users and a FTP client are behind the ASA, that means all the clients are located at the Inside interface, which IP subnet is 192.168.2.0/24. The 2950 switch has multiple VLAN for different zones for the router and ASA's physical connections.
In this network, all the users need to access the other network through the ASA then router, ASA will perform NAT. There was a static NAT entry to map 172.16.1.1 to 192.168.2.1, then the same global IP 172.16.1.1 also be the PAT for subnet 192.168.2.0/24. Firewall policy is permit IP any any.
The problem is that when the users connects to remote site, I can see static & dynamic NAT entries created in NAT table and the traffic is permitted, but the connection status is always "saA" shown in "show conn", until I plug a laptop at the VLAN which is for the outside interface of ASA and the 2621XM, laptop's IP address is 172.16.1.x, all the connections can be created smoothly.
But when I unplug the laptop's network cable, the connection fails again.
Anyway, there is no any IP conflict, my laptop's IP address is not in the scope of ASA's NAT pool.
What is the IP address of outside interface of ASA?
Are you able to ping the remote server from ASA itself?
When you say that all connections can be created smoothly after connecting laptop to outside vlan, are these connections from laptop on outside vlan or from hosts on the inside vlan?
I dont see an ARP issue here as when traffic moves outbound through the ASA and hits the router, router will create the ARP entry in its own cache. It seems that return traffic is not coming back to ASA, evidence for this is "saA" connection flags. This means connection was successfully made outbound, however, nothing ever returned back to ASA.
Please check the answers for above questions and keep us posted.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...