Seems to drop packets

[maynarja]

I am seeing some weird issues.

I have 2 ACL, 1 for the crypto and the other for nonat


access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 205.210.65.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 205.210.67.0 255.255.255.0


access-list nonat extended permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0
access-list nonat extended permit ip 192.168.12.0 255.255.255.0 205.210.65.0 255.255.255.0
access-list nonat extended permit ip 192.168.12.0 255.255.255.0 205.210.67.0 255.255.255.0

It seems the nonat does not have any increasing in the hit count.

Also if I ping say 10.0.3.1 it takes a bit but will finally ping, if i try to ping another host on the same subnet it either does not or I have to wait a while. If i ping another network it takes a long time to respond.


I have also use "crypto isakmp nat-traversal 3600" but no differences..

I have also changed "timeout xlate 8:00:00" again no differences.

 

[brianinms]

Remote client or site to site?

 

[maynarja]

Site to Site.

 

[brianinms]

The nonat access-lists wont increase in their hit count. When you ping 10.0.3.1 how many pings does it miss before it starts pinging?

 

[maynarja]

I think the issue comes down to 10 host inside limitation.

And that is correct about the nonat