ok made the change and here is new config, still no traffic after clear xlate.

sh cry isakmp sa doesn't show that the tunnel is even connecting, could my problem lie with something other than the ACL and NAT config?

new config

nat (inside) 3 access-list conditional_nat 0 0

global (outside) 3 172.24.159.1-172.24.159.254 netmask 255.255.255.0

Is this policy nat translation actually working ? Do you see translations when you do show xlate ?

actually it doesn't look like it is, should I go back to my static translations? I had that in place at one time but since changed to dynamic to get this to work.

any ideas?

ok so problem is that Policy nat is not working. You can try static policy nat also.

Check and post results .

HTH

Saju

ok so problem is that Policy nat is not working. You can try static policy nat also.

Check and post results .

HTH

Saju

ok, im back to static NAT. Here is the results of sh xlate

PAT Global 166.XXX.XXX.XXX(13815) Local 192.168.0.108(2101)

PAT Global 166.XXX.XXX.XXX(7666) Local 192.168.0.112(2720)

PAT Global 166.XXX.XXX.XXX(13816) Local 192.168.0.82(2720)

PAT Global 166.XXX.XXX.XXX(13817) Local 192.168.0.112(3642)

PAT Global 166.XXX.XXX.XXX(13818) Local 192.168.0.11(1494)

PAT Global 166.XXX.XXX.XXX(14785) Local 192.168.0.112(1199)

PAT Global 166.XXX.XXX.XXX(2) Local 192.168.0.112 ICMP id 512

PAT Global 166.XXX.XXX.XXX(14876) Local 192.168.0.112(1251)

PAT Global 166.XXX.XXX.XXX(14724) Local 192.168.0.108(2735)

PAT Global 166.XXX.XXX.XXX(7553) Local 192.168.0.108(15346)

PAT Global 166.XXX.XXX.XXX(14732) Local 192.168.0.108(2744)

Global 172.24.159.0 Local 192.168.0.108

Here is the Debug output as well.

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 40 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 60 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing keep alive: proposal=32767/32767 sec., actual=10/30 sec.

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 368405633:15f56c81

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:66.XXX.XXX.XXX/500 Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:66.XXX.XXX.XXX/500 Ref cnt incremented to:1 Total VPN P

eers:2

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 0, message ID = 719581143

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 2042020179, spi size = 16

ISAKMP (0): deleting SA: src 166.XXX.XXX.XXX, dst 66.XXX.XXX.XXX

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0xcb9ca4, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:66.XXX.XXX.XXX/500 Ref cnt decremented to:0 Total VPN P

eers:2

VPN Peer: ISAKMP: Deleted peer: ip:66.XXX.XXX.XXX/500 Total VPN peers:1

ISADB: reaper checking SA 0xb8f26c, conn_id = 0

Thanks in advance!

Can you post remote end's vpn config also? The SA actually builds up and then gets deleted.

Check Transform set, crypto acl (mirror image of other side) etc.

HTH

Saju

Pls rate if it helps

You can try doing policy nat to single ip :

nat (inside) 3 access-list conditional_nat 0 0

global (outside) 3 172.24.159.1 netmask 255.255.255.255

or

static (inside,outside) 172.24.159.1 access-list conditional_nat 0 0

Added "static (inside,outside) 172.24.159.108 access-list conditional_nat 0 0"

and removed

"static (inside,outside) 172.24.159.0 access-list conditional_nat 0 0"

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 40 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 60 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 176378872:a8353f8IPSEC(key_en

gine): got a queue event...

IPSEC(spi_response): getting spi 0x942c64b8(2485937336) for SA

from 66.XXX.XXX.XXX to 166.XXX.XXX.XXX for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:66.XXX.XXX.XXX/500 Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:66.XXX.XXX.XXX/500 Ref cnt incremented to:1 Total VPN P

eers:2

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 0, message ID = 2816305469

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:66.XXX.XXX.XXX, dest:166.XXX.XXX.XXX spt:500 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 3032362312, spi size = 16

ISAKMP (0): deleting SA: src 166.XXX.XXX.XXX, dst 66.XXX.XXX.XXX

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0xba108c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:66.XXX.XXX.XXX/500 Ref cnt decremented to:0 Total VPN P

eers:2

VPN Peer: ISAKMP: Deleted peer: ip:66.XXX.XXX.XXX/500 Total VPN peers:1IPSEC(key_

engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 66.XXX.XXX.XXX

ISADB: reaper checking SA 0xb8f26c, conn_id = 0

sh xlate shows "Global 172.24.159.108 Local 192.168.0.108" now as well.. any ideas?

Thanks again

Cool!

Can you post remote end's vpn config also? The SA actually builds up and then gets deleted.

Check Transform set, crypto acl (mirror image of other side) etc.

HTH

Saju

Pls rate if it helps

I don't have access to the other end, only thing I have is these instructions.

remote endpoint is: 66.179.80.108

remote network is: 192.168.50.0 (255.255.255.0)

Clinic will need to make ACL from 172.24.159.108 to host 192.168.50.83 and 192.168.50.86

Clinic will need to NAT interesting traffic to 172.24.159.0 255.255.255.0

Phase 1

Authentication: Pre-Shared

Encryption: 3DES

Hash: SHA

DH: 1

Lifetime: 86400 sec

Pre-shared Key: *****************

Phase2

ESP encryption 3DES

ESP authentication

Lifetime 28800