We have 3 remote sites connected to the main site via a tunnel from a 2621 router at main site to 1721 routers at each remote site via an ISP.
I have been seeing entries in the firewall (PIX) log with the 2621's wan address as the source address. The wan interface is connected to the ISP. Similar entries have shown up in the log with each of the 1721's wan address as the source address. Also, there have been log entries with a public address as the source address. The following is an excerpt of a recent log. Our ip addreses have been changed or x'd.
Mar 15 07:01:11 192.168.3.2/192.168.3.2 %PIX-3-305005: No translation group found for icmp src inside:xxx.xxx.xxx.106 dst outside:22.214.171.124 (type 3, code 3)
Mar 15 07:09:43 192.168.3.2/192.168.3.2 %PIX-3-305005: No translation group found for icmp src inside:xxx.xxx.xxx.106 dst outside:126.96.36.199 (type 3, code 3)
Mar 15 07:29:15 192.168.3.2/192.168.3.2 %PIX-3-305005: No translation group found for udp src inside:188.8.131.52/123 dst outside:184.108.40.206/123
The 2621 has a default route to the main network router to provide Internet access to the remote sites. The 1721's have a default route to the 2621's tunnel interface for each site.
PIX may be stopping passage of traffic. Reload may solve the problem. If there is a huge amount of access-lists, turbo ACL should be enabled (access-list compiled). Performance drop normally is a matter of too big ACL or too much traffic. It could be that there is a memory problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...