I have hub and spoke vpn with 515 at hub and 506's at spokes(all running 6.2). Two tunnels where up but the configuration for the 3rd tunnel had the wrong network address referenced in the crypto access list for interesting traffic. When attempting to remove the incorrect reference and replace with the correct network address range all outbound traffic from hub pix stopped except for tunneled traffic to remote sites. Could not ping from pix the directly connected border router. Appears as if all traffic was being routed through tunnels, nothing in the clear. I had to remove all reference to the specific policy for the 3rd site (40)before clear traffic would go out to the internet and only specified traffic continued to the remotes via the vpn.
nat (inside) 0 access-list crypto_global
access-list crypto_global permit ip 207.x.x.0 255.255.255.0 209.x.x.x 255.255.255.192
access-list crypto_global permit ip 207.x.x.0 255.255.255.0 216.x.x.0 255.255.255.0
access-list crypto_global permit ip 207.x.x.0 255.255.255.0 10.40.0.0 255.255.0.0
access-list crypto_ml permit ip 207.x.x.0 255.255.255.0 209.x.x.x 255.255.255.192
access-list crypto_ps permit ip 207.x.x.0 255.255.255.0 216.x.x.0 255.255.255.0
access-list crypto_plan permit ip 207.x.x.0 255.255.255.0 10.40.0.0 255.255.0.0
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...