hmm yes you are right Jennifer, this is the updated copy of configirations, kindly give me solution Thanks.

ASA1

--------

ASA Version 8.0(2)

!

hostname ASA1

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.1.1.1 255.255.252.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list 101 extended permit icmp any interface outside echo-reply

access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nat

nat (inside) 1 192.168.1.0 255.255.255.0

access-group 101 in interface outside

route outside 172.16.1.0 255.255.255.0 10.1.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set leve_set esp-aes-256 esp-sha-hmac

crypto map level_map 10 match address vpn

crypto map level_map 10 set peer 10.1.1.2

crypto map level_map interface outside

crypto map leve_map 10 set transform-set leve_set

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

tunnel-group 10.1.1.2 type ipsec-l2l

tunnel-group 10.1.1.2 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

-------------------------------------------------------------------------------------------------

ASA2

---------

ASA Version 8.0(2)

!

hostname ASA2

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.1.1.2 255.255.252.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list 101 extended permit icmp any interface outside echo-reply

access-list vpn extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nat

nat (inside) 1 172.16.1.0 255.255.255.0

access-group 101 in interface outside

route outside 192.168.1.0 255.255.255.0 10.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set leve_set esp-aes-256 esp-sha-hmac

crypto map leve_map 10 match address vpn

crypto map leve_map 10 set peer 10.1.1.1

crypto map leve_map 10 set transform-set leve_set

crypto map leve_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

tunnel-group 10.1.1.1 type ipsec-l2l

tunnel-group 10.1.1.1 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

The configuration looks correct to me.

Can you please advise which phase of the ipsec vpn it fails?

Please share the output of:

show cry isa sa

show cry ipsec sa

from both sides.

Also can you please advise where you are pinging from and to?

If the show output doesn't show anything, please run debug while trying to ping:

debug cry isa

debug cry ipsec

You cant ping ASA's farthest (inside) interface from outside, this is a normal behaviour, it is an architecture of the device.

Morever, you need debug crypto isakmp 127 to see debug messages. 1 is the least informational debug, 255 is the highest.

Can you post these debug messages to us?

One more thing, can you ping Second ASA's outside interface from Firts ASA?

To see debug messages, you would probably need to enable logging

conf t

logging enable

I would like to stress once againg, you cant ping from:

outside(ASA1) to inside(ASA2)

outside(ASA2) to inside(ASA1)

This is disabled by default and there is no way to enable it

You cant ping in all other scenarious, because your VPN connection is not established.

i got your point that we cant ping from outside interfaces of ASA  to inside interfaces. i have enabled logging but still no debug messages

ASA2(config)# logging  enable

ASA2(config)# debug crypto isakmp 127

ASA2(config)# ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ASA1(config)# ping

Interface: inside

Target IP address: 172.16.1.1

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Here i enabled logging buffer-size 10000

and logging console information then i got this output but i have already given static routes on both ASAs correctly why its giving

ASA2# ping

Interface: inside

Target IP address: 192.168.1.1

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

%ASA-6-110003: Routing failed to locate next hop for icmp from NP Identity I  ide:192.168.1.1/0

?????

Success rate is 0 percent (0/5)

ASA2# %ASA-5-111008: User 'enable_15' executed the 'ping' command.

ASA2# sh ip ro.

Gateway of last resort is not set

C    172.16.1.0 255.255.255.0 is directly connected, inside

C    10.1.0.0 255.255.252.0 is directly connected, outside

S    192.168.1.0 255.255.255.0 [1/0] via 10.1.1.1, outside

Try

ciscoasa(config)#logging enable
ciscoasa(config)#logging buffered debugging

ciscoasa#show logging

ASA1(config)# ping

Interface: inside

Target IP address: 172.16.1.1

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

-------------------------------------------------------------------------------------------------------

ASA2(config)# logging enable

ASA2(config)# logging buffered debugging

ASA2(config)# sh logging

Syslog logging: enabled

    Facility: 20

    Timestamp logging: disabled

    Standby logging: disabled

    Deny Conn when Queue Full: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: level debugging, 97 messages logged

    Trap logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: disabled

%ASA-5-111008: User 'enable_15' executed the 'logging enable' command.

%ASA-7-711002: Task ran for 2 msec, Process = ci/console, PC = 8179a3b, Traceback =   0x08739E15  0x090A828A  0x080B7A6A  0x080ACE08  0x080AD921  0x0805E033

%ASA-5-111008: User 'enable_15' executed the 'logging buffered debugging' command.

%ASA-7-711002: Task ran for 2 msec, Process = ethpoll, PC = 88d7c35, Traceback =

%ASA-7-711002: Task ran for 2 msec, Process = ethpoll, PC = 88d7c35, Traceback =   0x088D7C35  0x0805E033

ASA2(config)#

Can you try pinging from inside hosts, not from ASA's interfaces?

Also enable this

conf t

logging monitor

this is some what interesting i have pinged from PC1(192.168.1.2/24) behind ASA1 to inside(ASA2) interface 172.16.1.1 this is the output from ASA1

ASA1(config)# sh logging

%ASA-4-106023: Deny icmp src outside:10.1.1.2 dst inside:192.168.1.2 (type 0, code 0) by access-group "101" [0x0, 0x0]

%ASA-4-106023: Deny icmp src outside:10.1.1.2 dst inside:192.168.1.2 (type 0, code 0) by access-group "101" [0x0, 0x0]

%ASA-4-106023: Deny icmp src outside:10.1.1.2 dst inside:192.168.1.2 (type 0, code 0) by access-group "101" [0x0, 0x0]

%ASA-4-106023: Deny icmp src outside:10.1.1.2 dst inside:192.168.1.2 (type 0, code 0) by access-group "101" [0x0, 0x0]

%ASA-4-106023: Deny icmp src outside:10.1.1.2 dst inside:192.168.1.2 (type 0, code 0) by access-group "101" [0x0, 0x0]

its saying my access-list 101 on outside(ASA2) is denying ping

and if i ping form pc1 to outside(ASA1) interface this is the output of sh logging command on ASA1

ASA1(config)# sh logging

%ASA-7-715047: Group = 10.1.1.2, IP = 10.1.1.2, processing hash payload

%ASA-7-715047: Group = 10.1.1.2, IP = 10.1.1.2, processing notify payload

%ASA-7-715075: Group = 10.1.1.2, IP = 10.1.1.2, Received keep-alive of type DPD R-U-THERE (seq number 0x7fcb36b0)

%ASA-7-715036: Group = 10.1.1.2, IP = 10.1.1.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x7fcb36b0)

%ASA-7-715046: Group = 10.1.1.2, IP = 10.1.1.2, constructing blank hash payload

%ASA-7-715046: Group = 10.1.1.2, IP = 10.1.1.2, constructing qm hash payload

%ASA-7-713236: IP = 10.1.1.2, IKE_DECODE SENDING Message (msgid=d58670be) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

I am not sure these pings are going through the vpn tunnel..

i c, but am able to ping outsie(ASA2) interface from PC behind ASA1 but am not able to reach inside(ASA2)