We upgraded a pair of 515e's last night from 7.2.2 to 220.127.116.11.
The upgrade was fine, however when we tested both L2L and Client based VPN connections we hit issues and were finally forced to roll back to 7.2.2 due to time constraints.
Our problem with the VPN was 1st noticed with a L2L tunnel, trying to ping a device on the LAN from central site, the PIX logging produced a message that said there was no port map translation group for the returning traffic, ie echo reply. Interestingly telnet worked from central site to remote, but not ping. We also found that any connectivity created from the remote site also had the same issue, likewise for the client based VPN's. We never changed the configuration of the PIX, and a NAT 0 was setup from high to low. I dont believe there should have been any other features added to the code, just bug fixes.
We did try several other things to try and get it to work, including sysopt permit vpn, reboot, nat 0 on outside interface, etc.
I tried that release a few weeks ago. It was awful. I have multiple VLAN's on multiple interfaces. None of the VLAN's could talk with one another. I kept getting the "no port map translation group" error message for all traffic between interfaces. I had to roll back. Everything was good again. I'd love to know why this release is still posted. It could be there is something majorly wrong with my config, but it's worked fine since 7.0.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...