Cisco ASA - wierd packet issues and timeouts when accessing internal web-based device on network

Hello All,

I have a weird issue regarding trying to access a web-based device behind the firewall. I have a DVR machine behind the firewall that has a static NAT entry on the firewall. When I try to access the device from the outside, its seems to hit the device but times out before completion. i have ran a packet capture on the ASA and I am getting some really strange results with TCP flags. Also the connection table shows really weird connection flags. My connection table, configuration, and packet capture is below. Any suggestions. Web traffic going out seems fine but bot going in.

Connection table:

TCP out 65.x.x.x:2048 in 10.1.11.60:80 idle 0:18:04 bytes 967 flags UfIOB
TCP out 65.x.x.x:50464 in 10.1.11.60:80 idle 0:42:05 bytes 967 flags UfIOB
TCP out 76.x.x.x:10884 in 10.1.11.60:80 idle 0:05:18 bytes 492 flags UfFIOB
TCP out 76.x.x.x:10883 in 10.1.11.60:80 idle 0:05:09 bytes 2472 flags UfIOB
TCP out 76.x.x.x:10882 in 10.1.11.60:80 idle 0:04:45 bytes 2326 flags UfIOB
TCP out 76.x.x.x:10881 in 10.1.11.60:80 idle 0:05:19 bytes 578 flags UfFIOB
TCP out 76.x.x.x:10156 in 10.1.11.60:80 idle 0:31:00 bytes 2472 flags UfIOB
TCP out 76.x.x.x:10154 in 10.1.11.60:80 idle 0:31:15 bytes 578 flags UfFIOB
TCP out 76.x.x.x.210:9876 in 10.1.11.60:80 idle 0:46:42 bytes 2472 flags UfIOB
TCP out 76.x.x.x:9872 in 10.1.11.60:80 idle 0:47:18 bytes 578 flags UfFIOB

ASA configuration:

ASA Version 7.2(3)
!
hostname BarodaCableASA
domain-name baroda.local
enable password OLwrzN2..uVF.NHM encrypted
names
!
interface Vlan1
 description Baroda House Internal Network
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.252
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 64.x.x.x 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd OLwrzN2..uVF.NHM encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name baroda.local
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host 64.x.x.x eq www
access-list outside extended permit udp any host 64.x.x.x eq 1025
access-list outside extended permit tcp any host 64.x.x.x eq www
access-list outside extended permit udp any host 64.x.x.x eq 1025
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.10.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.11.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.4.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.5.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.12.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.13.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.14.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.30.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.25.255.0
access-list NONAT extended permit ip 10.1.10.0 255.255.255.0 10.1.2.0 255.25.255.0
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.25.255.0
access-list NONAT extended permit ip 10.1.10.0 255.255.255.0 10.1.3.0 255.25.255.0
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.1.4.0 255.25.255.0
access-list NONAT extended permit ip 10.1.10.0 255.255.255.0 10.1.4.0 255.25.255.0
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.25.255.0
access-list NONAT extended permit ip 10.1.10.0 255.255.255.0 10.1.5.0 255.25.255.0
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.1.12.0 255.25.255.0
access-list NONAT extended permit ip 10.1.10.0 255.255.255.0 10.1.12.0 255.25.255.0
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.1.13.0 255.25.255.0
access-list NONAT extended permit ip 10.1.10.0 255.255.255.0 10.1.13.0 255.25.255.0
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.1.14.0 255.25.255.0
access-list NONAT extended permit ip 10.1.10.0 255.255.255.0 10.1.14.0 255.25.255.0
access-list VPNSPLIT extended permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list VPNSPLIT extended permit ip 10.1.10.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list VPNSPLIT extended permit ip 10.1.11.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list VPNSPLIT extended permit ip 10.1.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list VPNSPLIT extended permit ip 10.1.12.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list VPNSPLIT extended permit ip 10.1.3.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list VPNSPLIT extended permit ip 10.1.13.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list VPNSPLIT extended permit ip 10.1.4.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list VPNSPLIT extended permit ip 10.1.14.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list VPNSPLIT extended permit ip 10.1.5.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list VPNCLIENT extended permit ip 10.1.30.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list webcap extended permit tcp any host 64.x.x.x eq www
access-list webcap extended permit tcp host 64.x.x.x eq www any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNCLIENTS 172.16.1.1-172.16.1.50 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 64.x.x.x 10.1.11.60 netmask 255.255.255.255
static (inside,outside) 64.x.x.x 10.1.11.61 netmask 255.255.255.255
static (inside,outside) 64.x.x.x 10.1.11.21 netmask 255.255.255.255
static (inside,outside) 64.x.x.x 10.1.11.22 netmask 255.255.255.255
static (inside,outside) 64.x.x.x 10.1.11.23 netmask 255.255.255.255
static (inside,outside) 64.x.x.x 10.1.11.24 netmask 255.255.255.255
static (inside,outside) 64.x.x.x 10.1.11.90 netmask 255.255.255.255
access-group outside in interface outside
route inside 192.168.1.0 255.255.255.0 192.168.2.2 1
route inside 10.1.0.0 255.255.0.0 192.168.2.2 1
route outside 0.0.0.0 0.0.0.0 64.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 800 set transform-set ESP-3DES-MD5
crypto map VPNmap 20 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
group-policy Baroda internal
group-policy Baroda attributes
 dns-server value 10.1.1.10
 vpn-idle-timeout none
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNSPLIT
 default-domain value baroda.local
 split-dns value baroda.local
username Admin password c6asn4vihImb6LmO encrypted
tunnel-group Baroda type ipsec-ra
tunnel-group Baroda general-attributes
 address-pool VPNclients
 default-group-policy Baroda
tunnel-group Baroda ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
prompt hostname context
Cryptochecksum:eed5658ecd03cfcc031f4d17430e338c
: end

I have attached the packet captureStart Free Trial