I have a setup where a customer will be sending calls from a UCM, sourced from a private address, through a VPN tunnel terminating at a 2811. The call needs to hit an SBC that is publicly addressed and sits right behind the router on FE0/1. (See attached picture)
The traffic going through the ASA is being exempted from NAT.
Since this is all public on my end and my default route points to my ISP's router, I would assume that I do not need anything other than a default route. (i'm not running any routing protocols - just a static route outbound)
The tunnel does not come up. In fact, I never see any traffic hit my side at all. Does anyone have any experience doing a private-to-public VPN, or know of a config example anywhere?
Here's my end of the config:
crypto isakmp policy 4
crypto isakmp key XXXXXXXXXX address (public address #1) no-xauth
crypto ipsec transform-set XXXSET esp-3des esp-md5-hmac
crypto map XXXMAP 4 ipsec-isakmp
set peer (public address #1)
set security-association idle-time 3600
set transform-set XXXSET
set pfs group2
match address 170
access-list 170 permit ip host (public address #3) host 10.0.0.5
ip address (public address #2) 255.255.255.252
no cdp enable
crypto map XXXMAP
service-policy output AutoQoS-Policy-UnTrust
Your configuration looks fine.
Does Phase 1 come up when you try to pass traffic through? "show cry isa sa"
If P1 comes up, does P2 come up? "show crypto ipsec sa | i ident|spi|encr|decr"
If neither is coming up, run a debug:
debug cry isa
debug cry ips
See if the tunnel is being initiated when traffic is sent. As long as you have a default route pointing outbound, and have no other routes, you should be fine. Looks like everything else will be a connected network.