Hi , Many thanks for your reply... below is the last output for when I do the packet tracer from CLI.

I beleive that the packets are not encrypting or hitting the cryptoaccess lists .. is that because there is no NAT 0 configuration ? Doesn't ASA automatically create one ? or am I looking into wrong area of troubleshooting? 

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7c603ce8, priority=70, domain=encrypt, deny=false
        hits=6, user_data=0x0, cs_id=0x87a97aa8, reverse, flags=0x0, protocol=1
        src ip/id=10.155.176.0, mask=255.255.255.0, icmp-type=0
        dst ip/id=192.168.101.0, mask=255.255.255.0, icmp-code=0, dscp=0x0
        input_ifc=any, output_ifc=outside

No  the ASA wont "automatically" create a NAT negate rule, you might want to NAT.

Have you looked at the output of the sh crypto ipsec sa ? to see if packets are being encrypted/decrypted?

 Hi

I have looked in to the ipsec sa and the output is as below ... but cannot see any traffic being encrypted or decrypted ...

internetasa# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map1, seq num: 1, local addr: 194.168.166.1

      access-list outside_cryptomap extended permit tcp 10.155.176.0 255.255.255.0 192.168.101.0 255.255.255.0 range 9005 9015
      local ident (addr/mask/prot/port): (10.155.176.0/255.255.255.0/6/0)
      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/6/9010)
      current_peer: 94.199.235.225

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 194.168.166.1/0, remote crypto endpt.: 94.199.235.225/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: F94D0033
      current inbound spi : 1BB937BF

    inbound esp sas:
      spi: 0x1BB937BF (465123263)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 242356224, crypto-map: outside_map1
         sa timing: remaining key lifetime (kB/sec): (4374000/27493)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xF94D0033 (4182573107)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 242356224, crypto-map: outside_map1
         sa timing: remaining key lifetime (kB/sec): (4374000/27493)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Hi 

Adding the Nat Exemption did have a impact and it now checks the NAT and allows in packet tracer ... but still dropped by the VPN-user access list ... any ideas ?

Thanks

Hi

What's the VPN-user ACL? an outbound ACL in the inside interface or something else?

if possible could you post a sanitized config?

Hi 

I got it working and it was quite unusual.

1. I changed the crypto access list to a /19 rather than /24 and tested it and        started seeing encrypted packets and not decrypted packets... - problem existed

2. Confirmed with to other end and enabled PFS (group 5) and tested again .. this time packets not encrypted /decrypted.. - problem existed..

3. Removed PFS both ends and tested again... Packets got encrypted and decrypted.. - Problem Resolved.

4. Turned on PFS on both ends and tested again ...Packets got encrypted and decrypted.. - Problem Resolved.

For some reason this has happened and cannot why it has happened... Maybe remote site access list wasn't configured properly ??? and they haven't realised it ?? 

Thanks all your input in this regards...

Great news, vinovinom.

The debug crypto isakmp 255 and debug crypto IPsec 255 commands can help determining phase 1 and phase 2 problems. There  can be a lot of output in the debugs, but a good root around usually helps diagnosing the issue.

Glad I could give some  input.

 Hi 

I would like to get advise on Static NAT. Customer would like to NAT around 60 IP address one-to-one and they want this to be implemented in ASA. Is this a efficient way of doing it or are there any other options ? 

Thanks

Have a look at :-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html

but I would suggest creating a new thread so that it has more visibility.

Hi Vinovinom,

I have the same problem but can you send me some screen shot to understand more on the solution you have provided? Thanks

Also I had done adding any as you suggested into the group policy and now its denied differently as below... 

Phase: 6
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x731b7b38, priority=12, domain=vpn-user, deny=true
        hits=19011, user_data=0x6f6ed740, filter_id=0x0(-implicit deny-), protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Thanks