Hi, Can you ping the default gateway (upstream ISP router) from the ASA itself? If that works can you traceroute to 8.8.8.8 and see where it stops. Your ACL on the outside interface should be configured in the "in" direction, the ACL "OUTSIDE-IN" you appear to have defined does not exist.   access-list INSIDE_IN extended permit ip any any access-list INSIDE_IN extended permit icmp any any access-list OUTSIDE_OUT extended permit ip any any access-list OUTSIDE_OUT extended permit icmp any any access-group OUTSIDE-IN in interface outside   Also the packer-tracer you ran from outside to inside would not work. You have a dynamic nat not a static 121 nat.   HTH   ... View more

No I don't see that is possible. You cannot connect through one ASA interface (outside) to another ASA interface, that's by design. I quickly labbed the scenrario you described above and received the following error, which I believe confirms my initial thoughts. %ASA-6-110002: Failed to locate egress interface for UDP from OUTSIDE:3.3.3.1/500 to 11.11.11.1/500 The scenario you are describing is possible on IOS routers, where you could define a loopback. As mentioned previously ASA's don't support loopback interfaces. I can think of a few alternative options for you. Place a router in front of the ASA using the IP address of the current ASA interfaces', re-ip address the ASA with the new IP addresses and then terminate the VPN's. Or alternatively place a router or another ASA in a DMZ interface of the current ASA and utilise the new ip address range. HTH ... View more

Hi, I think it's enabled as default for L2L and RA VPNs on the ASA. It's configured under the tunnel-group tunnel-group XXXXX ipsec-attributes isakmp keepalive threshold X retry X HTH ... View more