Hi,

You are missing  few  parameters in your config, perhaps did not post completely, you need what is called policy nat. Also refer   to link provided by previous poster.

based on given information , but asuming /24 networks

Your ASA side:
LAN Subnet = 192.168.1.0 /24   to be  NATed to 10.10.10.10

this is a one direction l2l as you will be PATing  your 192.168.1.0/24 traffic going the other end 10.11.11.11 & .12
using 10.10.10.10 as your source. 

so first you need to create the  policy nat access list and the crytp access list

access-list policy_nat_380 extended permit ip 192.168.1.0 255.255.255.0  object-group test

or 

access-list policy_nat_380 extended permit ip 192.168.1.0 255.255.255.0 host 11.11.11.11
access-list policy_nat_380 extended permit ip 192.168.1.0 255.255.255.0 host 11.11.11.12

then crypto access list

access-list outside_380_cryptomap extended permit ip host 10.10.10.10  host 10.11.11.11
access-list outside_380_cryptomap extended permit ip host 10.10.10.10  host 10.11.11.12

create two nat rules and apply access list -   replace outside and inside names with your interface naming convention , for pool nat ID #4 use a number not already in used   , issue  show run global   at firewall command line to see Pool ID numbers  .

global (outside) 4 10.10.10.10
nat (inside) 4 access-lis policy_nat_380

dont for get your ike  policy. Policy is  default in asa  standard configs which looks like it is what  other side wants you to use.

crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

for your ipsec  policy you are missing bellow statement

crypto map outside_map 380 match address outside_380_cryptomap

you are missing tunnel   group configuration

tunnel-group x.x.x.x  type ipsec-l2l
tunnel-group x.x.x.x  ipsec-attributes
pre-shared-key  12345

Regards

Hi Jorge,

As u said above i have configured missing parameters and new nat policy here the config:

object-group network test

network-object host 10.11.11.11

network-object host 10.11.11.12

access-list inside_nat0_outbound extended permit ip host 10.10.10.10 object-group test

access-list outside_380_cryptomap extended permit ip host 10.10.10.10 object-group test

access-list policy_nat_380 extended permit ip 192.168.1.0 255.255.255.0 object-group test

crypto map outside_map 380 match address outside_380_cryptomap

crypto map outside_map 380 set pfs group1

crypto map outside_map 380 set peer x.x.x.x

crypto map outside_map 380 set transform-set ESP-3DES-SHA

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key 12345

global (outside) 6 10.10.10.10

nat (inside) 6 access-list policy_nat_380

ike policy is default in asa configured in both end

Still the same im not able to establish the VPN, any ideas

Thanks in advance

Carefully   review your access list again against your object-group , what IP destination  hosts do you have for Object-g called Airtel?

sorry jorge,

i forgot rename the object-group name in post.

no problem ..

Can you veryfy the far end systems are online 10.11.11.x etc.., can you verify  far end firewall is seeing your connectoin ?  try  sending traffic again to 10.11.11.11 from a 192.168.1.x host (not from the  firewall )  and  then from the firewall post output of show cry isa sa

if you have verified  far end is already configured for the tunnel  and systems online tunnel secret key  etc..  you will need to debug tunnel as the next step

terminal monitor
logging monitor 7  (   logging console 7  - if you are logged in to fw by console )

then do

debug crypto isakmp
debug crypto ipsec

while u have these debug running try sending traffic again  while watching the terminal  debug output,    try saving the debug output to  post it here.

Venkat,

Whats the update on your tunnel?  is all working or not?

Regards

Dear jorge,

Still the tunnel is not up i didn't get any debug logs on this issue.

Note: In our configuration we already have static Nat for source IP 

Hi Venkat,

You  have to try geting some  debug information ,  you must work with the far end  admin , can you at least  be able to ping the other end VPN gateway IP address, have you asked the far end see if they see your connection comming in ?

here are some troubleshooting scenarios

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/06/14/ipsec-troubleshooting-problem-scenarios-part-1

Regards