It worked. Actually, I disabled NAT-T to check, if ipsec-passthrough was working.
"no crypto ipsec nat-transparency udp-encapsulation" I disabled NAT-T but did not clear the crypto ipsec sa. It seems, ASA inspect ipsec-pass-thru will work only, if the connection is started from the beginning as there is mis-match in the ESP sequencing. With regards Kings On Mon, Oct 19, 2009 at 1:33 PM, Kingsley Charles < [email protected]> wrote: > Hi all > > I am trying to have a site to site VPN across ASA with static NAT. I am > sending the interesting traffic from inside to outside and have not > configured any inbound access-list on the outside interface to allow the ESP > packet. > > Instead, I have configure the following command to global policy map under > inspection_default. > > "inspect ipsec-pass-thru" > > I see connection entry in the "conn table" > > ciscoasa# sh conn > 1 in use, 15 most used > ESP outside 10.30.20.40 inside 10.20.30.40, idle 0:00:01, bytes 124 > > > But the return traffic is being dropped by ASA's outside interface. > > Any thoughts? > > > With regards > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
