I've recently been rolling out some 5505 installs to a number of customer sites recently, one of them is exhibiting very strange behaviour.
When adding a lan-to-lan vpn (between a unlimited user security plus device at the HQ and a 10 user base device at a remote office) the tunnel comes up fine, but when you add a nat exception for the traffic to the HQ device everything goes crazy.
The remote device behaves fine, however the hq device starts to have loopy connection tracking, and randomly start rejecting traffic, sanitied output attached... this was an ASDM refresh...
Local site is 192.168.16.0/24 and remote is 192.168.15.0/24.
Seems to be routing traffic to try and connect external traffic via the internal interface (ACLs reject)
Anyone got any ideas - the strange behaviour only starts when you add a nat exception for traffic from the local subnet to the remote?
Probably not worth it Ray (take me another 30min to sanitise) - just been trawing though release notes and its possible there may be an issue. Config works 100% fine on the Base model using the same software however...
May just look at rolling up to 8 as you suggest - anyone else got any ideas?
Output of show version attached - been running though everything I can think of all day today, including the various bug trackers etc. Just wondered if im doing anything stupid or if there is a known problem...
Not much help im afraid, been though this and checked the config. Its almost like when the nat exception is added fro the VPN the nat xlations seem to operate in reverse.
3|Oct 20 2008|16:44:11|710003|admin-site|asa-headoffice-outside|TCP access denied by ACL from admin-site/3676 to inside:asa-headoffice-outside/443
admin-site is my remote address, and the asa-headoffice-outside is the "outside" security 0 address of the ASA. For some reason its trying to translate via inside and getting killed by the default ACL.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...