Our ASA 5520 is configured as the default gateway on our network, 10.31.0.254/16, we have a separate VPN gateway at 10.31.255.254/16 that connects our school back to other sites in the district. (Normally, that VPN box is the default gateway for the rest of the district, but because of our heavy web traffic and Static NAT requirements we installed an 5520 in parallel to the VPN box.)
The VPN link is up, connects our 10.31.0.0 subnet to the following networks, 10.12.0.0, 10.63.0.0, etc. (Each school's site code). The VPN has a dual NIC, 10.31.255.254 is on the same switch as the Inside interface.
access-list Outside_access_in extended permit ip any any
access-list Inside_access_in extended permit ip any any
access-list Inside_nat0_outbound extended permit ip any 10.31.224.0 255.255.252.0
access-list Inside_nat0_outbound extended permit ip any 10.31.227.0 255.255.255.240
access-list Inside_nat0_outbound extended permit ip 10.31.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1
I can ping any IP within the defined routes from a workstation, and the packet trace passes in ASDM, but as soon as I try to initiate a session (HTTP, SSH, Telnet) it drops them with the following log entry:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...