Hi,
Not really sure which command to run from the CLI however please find
attached a screenshot from the menu

Result of the command: "sh crypto ipsec sa peer 124.240.212.118"

peer address: 124.240.212.118
Crypto map tag: SMSC, seq num: 1, local addr: 210.7.26.68

access-list outside_cryptomap_7 extended permit ip host 192.168.1.10
host 124.240.212.126
local ident (addr/mask/prot/port): (192.168.1.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (
124.240.212.126/255.255.255.255/0/0)
current_peer: 124.240.212.118


#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 210.7.26.68/0, remote crypto endpt.:
124.240.212.118/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CD955D7B
current inbound spi : 437B62FD

inbound esp sas:
spi: 0x437B62FD (1132159741)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1150976, crypto-map: SMSC
sa timing: remaining key lifetime (sec): 3503
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001D
outbound esp sas:
spi: 0xCD955D7B (3449118075)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1150976, crypto-map: SMSC
sa timing: remaining key lifetime (sec): 3503
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Hi Karsten,

                As it is at the moment the ACL only allows IP and also in the Crypto Map menu only IP is protected however I need to add TCP from 192.168.1.10/any to 124.240.212.126/55019. Have tried this a few times still did not work maybe I am doing something wrong.

TCP is part of IP, if you have allowed IP there is no need to allow TCP (or UDP or ICMP, ...) in addition.

Okay so when I run the packet tracer it drops the packet on the outside interface there must be something else that I need to look at

 

 

Hi Karsten,

                Ran the packet tracer on the inside and outside interface, packet allowed on the inside interface but disallowed on the outside interface

You can't simulate it from outside. And only looking at the result of the inside packet-tracer is not enough. Is NAT doing something unexpected like changing the traffic that it doesn't match any more the crypto-definition? Based on the screenshot it could be something like that.

Hi Karsten,
Any idea on where to look perhaps printout the NAT
settings etc....I'm stuck here everything else looks okay

There are sections for NAT in the packet-tracer. Showing your NAT-config ("show run nat") could also help.

Result of the command: "sh run nat"

nat (inside,outside) source static PET_WB PET_WB destination static SMSC
SMSC no-proxy-arp route-lookup
nat (inside,outside) source static WEB_Server interface service any WEBRDP
nat (inside,outside) source static WEB_Server interface service any FTP
nat (inside,outside) source static WEB_Server interface service any HTTP
nat (inside,outside) source static WEB_Server interface service any HTTPS
nat (inside,outside) source static WEB_Server interface service any API
nat (inside,outside) source static WEB_Server interface service any APITEST
nat (inside,outside) source static POSH interface service any POSHRemote
nat (inside,outside) source static POSH interface service any poshSETUP
nat (inside,outside) source static WEB_Server WEB_Server destination static
TPNG TPNG no-proxy-arp route-lookup
nat (any,any) source static TPNG TPNG destination static WEB_Server
WEB_Server no-proxy-arp
!
object network LAN
nat (any,outside) dynamic interface

ok, that's a mess ... 

But it seems that you need a NAT-exemption for that traffic at the top of the NAT rules.

I have cleaned it up as follows -
nat (inside,outside) source static WEB_Server interface service any WEBRDP
nat (inside,outside) source static WEB_Server interface service any FTP
nat (inside,outside) source static WEB_Server interface service any HTTP
nat (inside,outside) source static WEB_Server interface service any HTTPS
nat (inside,outside) source static WEB_Server interface service any API
nat (inside,outside) source static WEB_Server interface service any APITEST
nat (inside,outside) source static POSH interface service any POSHRemote
nat (inside,outside) source static POSH interface service any poshSETUP

object network LAN
nat (any,outside) dynamic interface

What are your suggestions moving forward ????