I replied you yesterday and requested for config.

So, please post the config, I will help you, fast as I can.

thanks

Yes! i have post both site current configuration file, please help me ASAP.

paste the below into the asa

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 0 access-list no-nat

Thanks Mr. Andrew for your reply, I have apply on asa but still same thing.

at the cli type

clear crypto ipsec sa

clear xlate

then re-establish the VPN and post the output of "show crypto ipsec sa"

Copy this these line on your ASA.

tunnel-group 212.107.106.129 type ipsec-l2l
tunnel-group 212.107.106.129 ipsec-attributes
pre-shared-key your-password-goes-on-whichever-your-password is

Create an ACL as shown below.

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Apply the no-nat on the inside interface as shown below.

nat (inside) 0 access-list inside_nat0_outbound

Remove these three lines from ACL encrypt_acl

access-list encrypt_acl extended permit tcp 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list encrypt_acl extended permit esp 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list encrypt_acl extended permit udp 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Please add this route on the ASA.
route outside 10.2.2.0 255.255.255.0 212.71.53.36

Remove all these lines.

crypto isakmp enable DMZ
crypto isakmp enable inside

----------------------------------------------------

Now work on your router.

crypto map mal 10 ipsec-isakmp
set peer 212.71.53.38
set transform-set mal
match address 120
set pfs group2
reverse-route

Now you are good.

ping 10.1.1.x source interface GigabitEthernet0/2

X is host IP behind the ASA.

Let me know, how it is coming along.

Thanks

Rizwan Rafeek.

Dear Rizwan,

Thanks for your support i have apply all as per your configuration, but i have lose the IPsec connectivtiy.

when i type show crypto ipsec sa (nothing show)

Please advise me on this!

Please send a continous ping from a PC behind the ASA to a remote host (i.e. PC) behind the remote router.

Also please post your config just to be sure.

#show cry ips sa

interface: GigabitEthernet0/0
    Crypto map tag: mal, local addr 172.20.34.54

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer 212.71.53.38 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.20.34.54, remote crypto endpt.: 212.71.53.38
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: GigabitEthernet0/1
    Crypto map tag: mal, local addr 212.107.106.129

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer 212.71.53.38 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 10, #recv errors 0

     local crypto endpt.: 212.107.106.129, remote crypto endpt.: 212.71.53.38
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

Dear all i am looking quick support

Please post your config again.