Hello, please can some one take a look at this weird problem, it might be staring me in the face

I've set up a site to site VPN tunnel, both sides have 192.168.1.0 networks so we need to NAT before using the tunnel

I've configured a text book script but its dropping traffic that has been allowed?

I'm hiding behind 192.168.124.0 and they are hiding a host server behind 192.168.123.24

(allows outbound traffic from dmz interface)

access-list dmz extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0 log

access-group dmz in interface dmz

(defines which IP addresses get natted)

access-list policyNAT extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0

(if 192.168.1.x goes to 192.168.123.x -  then change source IP to 192.168.124.x)

static (dmz,outside) 192.168.124.0  access-list policyNAT

(standard transform set stuff)

crypto ipsec transform-set trans esp-3des esp-sha-hmac

(define which traffic to tunnel, my side NAT to their end)

access-list TUNNEL extended permit ip 192.168.124.0 255.255.255.0 host 192.168.123.24 log

crypto map outside_map 40 match address TUNNEL

crypto map outside_map 40 set peer X.X.X.X

crypto map outside_map 40 set transform-set trans

crypto map outside_map interface outside

crypto isakmp enable outside

(standard stuff)

crypto isakmp policy 15

authentication pre-share

encryption 3des

hash sha

group 2

(standard stuff)

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

pre-shared-key *

now look at this please, when using the packet tracer on the ASA, everything is fine until it gets to the VPN encryption ACL, then it drops the traffic???!!!

ISAASA01# packet-tracer input dmz icmp 192.168.1.55 1 8 192.168.123.24 detail

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.123.0   255.255.255.0   outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz in interface dmz
access-list dmz extended permit ip 192.168.1.0 255.255.255.0 192.168.123.0 255.255.255.0 log
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcc545798, priority=12, domain=permit, deny=false
hits=22478, user_data=0xcc061890, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.1.0, mask=255.255.255.0, port=0
dst ip=192.168.123.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xc8990f88, priority=0, domain=permit-ip-option, deny=true
hits=29153180, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xc898fdf0, priority=66, domain=inspect-icmp-error, deny=false
hits=2564961, user_data=0xc8a3bba0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcbcdaaf8, priority=12, domain=debug-icmp-trace, deny=false
hits=2503388, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
static (dmz,outside) 192.168.124.0  access-list creativeNAT
match ip dmz 192.168.1.0 255.255.255.0 outside 192.168.123.0 255.255.255.0
static translation to 192.168.124.0
translate_hits = 22486, untranslate_hits = 0
Additional Information:
Static translate 192.168.1.0/0 to 192.168.124.0/0 using netmask 255.255.255.0
Forward Flow based lookup yields rule:
in  id=0xc8aeb168, priority=5, domain=nat, deny=false
hits=22485, user_data=0xcc5a80a0, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.1.0, mask=255.255.255.0, port=0
dst ip=192.168.123.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) 192.168.124.0  access-list creativeNAT
match ip dmz 192.168.1.0 255.255.255.0 outside 192.168.123.0 255.255.255.0
static translation to 192.168.124.0
translate_hits = 22486, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcc433460, priority=5, domain=host, deny=false
hits=164015, user_data=0xcc5a80a0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.1.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc8f621a8, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xcbe41290, reverse, flags=0x0, protocol=0
src ip=192.168.124.0, mask=255.255.255.0, port=0
dst ip=192.168.123.0, mask=255.255.255.0, port=0, dscp=0x0

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ISAASA01#

for real..

show crypto isakmp sa

I did try the nat exempt (nonat) access list but it over rides the policy NAT and stopped it translating so I took it off

ICMP echo request translating dmz:192.168.1.55 to outside:192.168.124.55

ICMP echo request from dmz:192.168.1.55 to outside:192.168.123.24 ID=768 seq=6495 len=32

Any help greatly appreciated - I've mocked it up on a spare ASA and I'm still getting this problem

Cheers hopefully, Tony