I've got a PIX-to-PIX VPN Tunnel between CO and Chicago that works when the regular link is up. My ISP's main link in Chicago just failed, but they have routed it through some emergency links they put in place. The temporary links include a NAT from a new IP to the old.
So, I have modified the PEER on my CO PIX and restarted the CRYPTO MAP. I can SSH into the remote (CH) PIX via the NATed external IP address, and the VPN appears to be up, but I can't pass traffic across it.
The inbound ESP SAS SPI in CO matches the outbound ESP SAS SPI in CH, and vice-versa. It seems like a routing problem, but I don't see where.
Try clearing the ARP cache on both the sides, Also try reloading the PIX to make sure its not stuck in any state since the link failure and is still trying to route through the old paths. If it still doesn't help then open up a TAC case with Configs for further troubleshooting on this.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...