Our customer has the same problem that consists of incompatibility of "ip route-cache cef" interface command and VPN Client access to network connected to that interface... So, customer should choose between remote access VPN and netflow accounting functionalities. He has chosen the first.
I've found the answer by myself surfing the forum...
So, for us the solution was to change the code
crypto dynamic-map RA_MAP_DYNAMIC 10 set transform-set RA_TS set isakmp-profile VPNCLIENT_P1_PROFILE reverse-route
to this one (see reverse-route string):
crypto dynamic-map RA_MAP_DYNAMIC 10 set transform-set RA_TS set isakmp-profile VPNCLIENT_P1_PROFILE reverse-route remote-peer x.x.x.x
where x.x.x.x - our default GW.
After we changed the "reverse-route" string we obtained the ability to painlessly enable "ip route-cache cef" on an internal/external interfaces and netflow finally started to export the flow data to collector. It was like a mirracle .
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...