I have a weird issue. Earlier today I created a tunnel to a vendor that uses "public" addresses (138.x.x.x) as a private address for my to tunnel to. All of this works except for a remote site that has a 5505 configured as a vpnclient. The tunnel-group that they connect to has a group-policy that forces all traffic over the tunnel. The vpnacl that's applied shows that it's allowing everything over the tunnel. nat is disabled only by not having the global line in the config.
The problem is that the user tries to go to this address, but it doesn't seem to go over the tunnel. I created a capture file on my side (headend) and I don't see anything. Then I created a capture file on their side and I see it try to connect, but no success. Any ideas on how I can force this address through the tunnel so it can go out of my device like it should? I have hundreds of users that work fine, but it's the satellite offices that have these ASAs that don't. I've got same-security-traffic permit intra-interface configured on my headend 5520.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...