Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

site to site vpn behind nat: ASA5520 (8.3.1) to Cisco 1841 (AdvSecurity 12.4(24)T5)

Hello All,

I am having difficulty with site-to-site VPN between Cisco ASA 5520 running ASA Version 8.3.1 and Cisco 1841 running Version 12.4(24)T5.

The short end of the problem is I supposed a NAT issue on the 1841. When I have my crypto maps set with matching "interesting traffic" on both ends. I do not see any isakmp nor ipsec traffic between both ends. When I enable my crypto maps on both ends to: ip any any I get phase 1 but phase 2 fails. 


interface FastEthernet0/0
 description INTFCE0
 ip address X.X.X.X
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map VPN2_ASA5520
interface FastEthernet0/1
 description INTFCE1
 ip address
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

Crypto Map "VPN2_ASA5520" 1 ipsec-isakmp
        Peer = X.X.X.X
        Extended IP access list 100
            access-list 100 permit ip
        Current peer: X.X.X.X
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={
                #$!default_transform_set_1:  { esp-aes esp-sha-hmac  } ,
                #$!default_transform_set_0:  { esp-3des esp-sha-hmac  } ,
        Interfaces using crypto map VPN2_ASA5520:


Extended IP access list 100
    10 permit ip
Extended IP access list 110
    10 deny ip
    20 permit ip any (5365 matches)

ip nat inside source route-map nonat interface FastEthernet0/0 overload

route-map nonat permit 10
 match ip address 110


ASA 5520 (8.3.1)

interface GigabitEthernet0/0
 speed 1000
 nameif OutSide
 security-level 0
 ip address X.X.X.X
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address


object network NETWORK_OBJ_10.10.12.0_24

object network NETWORK_OBJ_10.10.63.0_24

access-list OutSide_1_cryptomap extended permit ip object NETWORK_OBJ_10.10.12.0_24 object NETWORK_OBJ_10.10.63.0_24

nat (inside,OutSide) source static NETWORK_OBJ_10.10.12.0_24 NETWORK_OBJ_10.10.12.0_24 destination static NETWORK_OBJ_10.10.63.0_24 NETWORK_OBJ_10.10.63.0_24


crypto map OutSide_map 1 match address OutSide_1_cryptomap
crypto map OutSide_map 1 set pfs
crypto map OutSide_map 1 set peer X.X.X.X
crypto map OutSide_map 1 set transform-set ESP-3DES-SHA
crypto map OutSide_map interface OutSide
crypto isakmp enable OutSide


tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key *****










Everyone's tags (1)