I'm trying to build an IPSEC tunnel from my cisco asa 5508 to another router. I've tried sending pings through to the other subnet for the 'interesting traffic'. This is from the other end of the ipsec tunnel, as well as our end. Nothing appears on the ASA.
The output of the logs, the debug crypto ikev1 and any show crypto isakmp sa, all show absolutely nothing. It's almost like the traffic isn't even hitting the firewall.
description WAN Interface
ip address 43.255.x.x 255.255.255.252
crypto ikev1 enable outside
crypto ikev1 policy 10
tunnel-group 119.225.62.x type ipsec-l2l
tunnel-group 119.225.62.x ipsec-attributes
ikev1 pre-shared-key xxxxxxx
object network xxxxx-10.88.0.0
subnet 10.88.0.0 255.255.255.0
object network xxxx-10.0.0.0
subnet 10.0.0.0 255.255.0.0
access-list 101 extended permit ip object-group xxxx-LAN-Subnets object xxxxx-10.88.0.0
crypto ipsec ikev1 transform-set xxx esp-3des esp-md5-hmac
crypto map IPSec 10 match address 101
crypto map IPSec 10 set pfs
crypto map IPSec 10 set peer 119.225.62.x
crypto map IPSec 10 set ikev1 transform-set xxx
crypto map IPSec interface outside
nat (inside,outside) source static xxxx-10.0.0.0 xxxx-10.0.0.0 destination static xxxxx-10.88.0.0 xxxxx-10.88.0.0 no-proxy-arp route-lookup
route outside 10.88.0.0 255.255.255.0 119.225.62.x 1
access-list Outside-In line 41 extended permit ip host 119.225.62.x any
access-list Outside-In line 42 extended permit udp host 119.225.62.x eq isakmp any
access-list Outside-In line 43 extended permit udp host 119.225.62.x eq 4500 any
Any help or ideas would be appreciated.
Where are you pinging from? It should be a device in the object-group xxxx-LAN-Subnets as per your interesting traffic ACL. Not from the ASA itself.
You can remove that static route route outside 10.88.0.0 255.255.255.0 119.225.62.x 1 as you should have a default route to send that via the outside interface anyway, right?
Run packet-tracer from the CLI twice and provide the output from the second trace.