Caution: While using NAT with a limited number of IP addresses in the translation pool, the translations may not time out if the global address continues to receive traffic. This may happen even if this traffic is blocked by an access list. For more details, refer to Cisco Bug ID CSCec47609.
IOS can use NetFlow to determine which host is generating this ICMP traffic thus the infected machine. How can I do this with PIX? will upgrading the IOS fix this although I still need to determine which machine is generating the traffic. I used the access lists but that prventing network browsing across the vpn tunnel.