(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST control bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
With the above said. If you capture on the PC that is trying to get windows update and at the same time watch the logs on the router and see what packets are being dropped. If these are packets with ACK or RST bit set and they are from the same IP address that the client tried to talk to then, there is a problem with established command.
My thinking is that there is a new connections that is coming inbound and it does not have ACK bit set and that is the reason that established command isn't working. But, we need to see some data to be able to say it for sure.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...