You really need to get the Unfriendly NAT issue solved, whether or not the hub MX is on the edge or a concentrator, as this will likely cause issues. The Unfriendly NAT means an upstream firewalls is modifying the source port (or source IP address) differently for the two connections to the VPN registry (and potentially also the AutoVPN IPSec connection itself). The only solution is to create a static port forward on the upstream (customer) firewall and configure that manually in the Site-to-Site VPN configuration page. I don’t think I’ve ever tried to use a Z3 as a concentrator, so not sure if it will actually work (can’t see why it wouldn’t, since it’s almost the same, but it may be one of those gotchas). If it does work, then if you are able to successfully ping a device at a Z3 location from the ASA LAN then the routing is probably correct, and it is more likely the the TCP traffic is being blocked at a higher Layer (e.g. a firewall rule is blocking it). Out of interest, any reason why you are using a Z3 to connect to the ASA? Why not just connect it to a LAN port on the MX hub? (or are they on different sites?)
... View more
