To view the sessions being created, use the command "show policy-map type inspect zone-pair NAME sessions". Replace NAME with the name of the corresponding zone-pairs.
To enable logging of dropped packets by zone based firewall, use the command "ip inspect log drop-pkt". You should then be able to see syslogs of dropped packets (along with details of zone-pair and class-map being hit).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...