I am trying to establish a site-to-site VPN tunnel between 2 offices. One office has a Cisco 1841 and the other a pair of ASA 5510's. I get the tunnel to establish without a problem. The problem is that the traffic going to the 1841 destined for the ASA will not encrypt for this particular tunnel. I get decaps on the session but no encaps. I have reconfigured the tunnel several times but keep getting the same result:
Session status: UP-ACTIVE
Peer: 188.8.131.52 port 500 fvrf: (none) ivrf: (none)
IKE SA: local 184.108.40.206/500 remote 220.127.116.11/500 Active
Capabilities:(none) connid:98 lifetime:23:45:02
IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 10.0.96.0/255.255.240.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 17 drop 0 life (KB/Sec) 4569995/2704
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4569996/2704
Any suggestions would be greatly appreciated.
Your ACL 100 is not exempting the 192.168.5.0->10.0.96.0 traffic from the NAT process. Please add the line below above the permit statement and then test again.
access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255