Overview:

User-> Proxy -> chained to another Proxy -> FWSM -> NAT'ing router (Cisco 7600) -> VPN (Juniper SG250 does encrypt and decrypt on both sides) -> ASA-> F5 -> 2 Web servers



I believe our trouble is with the NAT'ing Router. It essentially NAT's anywhere from 10-16 private IP's to one. From here it is handed up to a VPN that encrypts into IPSEC and is sent over a tunnel. It then is sent to the distant end where it is unencrypted and sent through the distant end ASA -> F5 Loadbalancer-> 2 web servers. The application has extreme latency with this in line. However, if we bypass the top proxy and FWSM and don't NAT then it works great.

We have looked at the obvious issues though it is hard getting distant end troubleshooting. Can someone tell me if this is a NAT-T scenario, or if that only matters if it is one device doing both the NAT'ing and encryption?

Also we don't seem to see a high range of port usage on the NAT'ing router...we have set it for 1025- 64000....we generally dont see it go more than 1025-3000. There is enough traffic with the application to legitimately see more than that. The distant end firewall does show "TCP show port reuse" in their initial SYN packets on Wireshark captures. But for the life of us can't figure out who's reusing the ports. There's actually a multitude of problems there could be but I'm going to stop here for the moment and see if you guys see anything glaringly wrong or have a poinant question. First time post. Cheers.