Karsten,

Thanks for the reply.

1.Yes it is routed correctly. a trace route from a client machine in 10.9.1.0 shows that the first Hop is 10.9.1.1 (1811 BVI1 Interface)

2.No. there are switches in between the router and end user but there is no access control on them.

3. Yes. the default route on this router is then next hop from the Fa1 interface >>

ip address XXX.XX.1.36 255.255.255.248

ip route 0.0.0.0 0.0.0.0 XXX.XXX.1.33

Just in case, I added route:

ip route 10.1.1.0 255.255.255.0 fastEthernet 1

Any other suggestions?

not many suggestions any more ...

Is the nat-config from your first post the only nat-rule on the router? If not please check that no translation is build for your traffic that should go into the VPN and post your complete nat-Config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

the NAT config is pretty straight forward:

ip nat inside source list 10 interface FastEthernet1 overload

ip nat inside source route-map nonat interface FastEthernet1 overload

ip nat inside source static tcp 10.9.1.13 3021 XXX.XXX.XXX.36 3021 extendable

ip nat inside source static tcp 10.9.1.16 3022 XXX.XXX.XXX.36 3022 extendable

access-list 10 permit 10.9.1.0 0.0.0.255

Dustin,

let us know the ASA version and the Router Ios version

1811 =

Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(24)T1,

ASA =

Cisco Adaptive Security Appliance Software Version 8.3(2)

please remove the following line:

ip nat inside source list 10 interface FastEthernet1 overload


Sent from Cisco Technical Support iPad App

I tried removing this but still no luck

here's the trace:

pri/act/dscasa001# packet-tracer input inside icmp 10.9.1.20 0 8 10.1.1.14

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,any) source static obj-10.1.1.0 obj-10.1.1.0 destination static OKL OKL

Additional Information:

NAT divert to egress interface inside

Untranslate 10.1.1.14/0 to 10.1.1.14/0

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,any) source static obj-10.1.1.0 obj-10.1.1.0 destination static OKL OKL

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 12352828, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

looks like there is no DROP at all . every thing is showing as ALLOW.

now try to ping (lan interface name) destiantion ip address

eg: ping inside 10.1.1.14

now can you show is the output for

sh cry ipsec sa and see if there is decrypt happening.

here is the resuls from the asa. it is a ping from to the internal network. not to the remote...

pri/act/dscasa001# ping 10.1.1.14

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.14, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

pri/act/dscasa001# sh crypto ipsec sa peer XXX.XXX.XXX.36

peer address: XXX.XXX.XXX.36

    Crypto map tag: IPSECMAP, seq num: 7, local addr: XXX.XXX.XXX68

      access-list Outside_cryptomap_6 extended permit ip 10.1.1.0 255.255.255.0 10.9.1.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.9.1.0/255.255.255.0/0/0)

      current_peer: XXX.XXX.XXX.36

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: XXX.XXX.XXX.68/0, remote crypto endpt.: XXX.XXX.XXX.36/0

      path mtu 1478, ipsec overhead 58, media mtu 1500

      current outbound spi: C2E09BFB

      current inbound spi : 792C3ECA

    inbound esp sas:

      spi: 0x792C3ECA (2032942794)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 31178752, crypto-map: IPSECMAP

         sa timing: remaining key lifetime (kB/sec): (4374000/3580)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0xC2E09BFB (3269499899)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 31178752, crypto-map: IPSECMAP

         sa timing: remaining key lifetime (kB/sec): (4373999/3580)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

ping using  this command.

ping inside 10.1.1.14 and let us know the output.

pri/act/dscasa001# ping inside 10.1.1.14

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.14, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms