Now I can pass information from the vyatta 119.252.X.X to our internal networks (220.127.116.11/16) (yeah I know these are a public range, but this is the environment I have inherited, I am underway with a project to put private network addresses in place but its not finished quite yet.)
The problem seems to be passing info from the ASA to the internal network behind the vyatta - 192.168.11.0/24.
When I check my syslog I get the following error: (this example was an attempted mstsc connection) : Inbound TCP connection denied from 18.104.22.168/60660 to 192.168.11.101/3389 flags SYN on interface inside
Now Im guessing this SYN message means that the ASA is attempting to NAT my outgoing packets.. which is strange because I have setup a nonat rule. But when I do a show nat this is the result:
ABN-FW3-CISCO-ASA5510# show nat inside match ip inside 22.214.171.124 255.255.0.0 outside 192.168.11.0 255.255.255.0 NAT exempt translate_hits = 0, untranslate_hits = 37 (this value is not changing)
Here is my config for the NAT
access-list Inside_nat0_outbound extended permit ip 126.96.36.199 255.255.0.0 192.168.11.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.11.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 188.8.131.52 255.255.255.0 192.168.11.0 255.255.255.0
(I have a seperate ACL for interesting traffic)
access-list VPN_cryptomap extended permit ip 184.108.40.206 255.255.0.0 192.168.11.0 255.255.255.0
access-list VPN_cryptomap extended permit ip 10.0.0.0 255.0.0.0 192.168.11.0 255.255.255.0
access-list VPN_cryptomap extended permit ip 220.127.116.11 255.255.255.0 192.168.11.0 255.255.255.0
I agree with Ajay that your NAT-config looks fine, and the error seems to point to some kind of ACL/firewall issue.
And to answer your question: yes, the nat (inside) 0 takes precedence over the nat (inside) 1 statement.
The funny detail is that your tunnel has non-zero values for #pkts encaps/decaps, so there is definitely some traffic going through it in both directions; which does not necessarily mean there is bi-directional traffic, unfortunately.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...