"If I reconfigure the ASA port to a regular switchport vlan"
Why would you need that? An Interface needs and IP address to have an arp table, or function as proxy-arp as requested.
If all you need is connectivity between outside VPN clients, all you need is same-security-traffic permit intra-interface
Dont know if your ASAs are in failover mode, but assuming not, and if you need VPN client connected to ASAx to be able to talkt to VPN client connected to Y, all you need is a simple static route in firewalls.
Please describe more, if I have misunderstood the issue.
Yes, I misunderstood that hair-pinning the traffic and allowing the same-security interface traffic are same. I did not want to hair-pin the traffic but now I realized that they are 2 different things.
Also, the ASAs are in a cluster and so they are in a community vlan for the VCA (hearbeats) to work.
I had to permit the same security interface traffic permitted to solve the problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...