SSH DOES NOT work correctly even in their latest 12.2-2 I just received from their IOS group. It allows the SSH server to start but does not allow an SSH session (Client request) from router to router. The server portion from a software client connecting in does work, I use SecureCRT as the client.
I think the reason ssh does not work is because of the don't frag bit being turned on and when the certificates are exchanged the packets with the ipsec headers exceed the mtu. 12.2 has a new command for it : crypto ipsec df-bit [clear | set | copy] i have not tried yet to see how well it works though
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...