Yes I am.  No way around that due to the requirements I have to deal with.

Ron

OK , Then the only option you have is to do L2L tunnel on the asa. If you are doing NAT then

you are changing the  Packet header, redoing the header checksum etc that makes it fail ipsec encryption. The reason we use ipsec is for security so if the packet is being changed in any sense it will fail ipsec encryption.

manish

As best I can do with characters, here is a rough drawing of how things are connected -

1900 ------ ASA_1 ------- ASA_2

The endpoint for the 1900 is ASA_2.  The 1900 shows up on the ASA_2 as a L2L site to site tunnel.  I have run debugs today on both the 1900 and ASA_2 with the 1900 trying to establish the site to site tunnel (L2L).  The ASA debugs show Phase 1 and Phase 2 completing without error.

Here is the debug log from the 1900 -

000245: Oct 26 09:15:57.500 CDT: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

000246: Oct 26 09:16:07.492 CDT: ISAKMP (1003): received packet from x.x.x.x dport 500 sport 500 Global (I) QM_IDLE

000247: Oct 26 09:16:07.492 CDT: ISAKMP: set new node 326021280 to QM_IDLE

000248: Oct 26 09:16:07.492 CDT: ISAKMP:(1003): processing HASH payload. message ID = 326021280

000249: Oct 26 09:16:07.496 CDT: ISAKMP:(1003): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 326021280, sa = 0x2828B8F0

000250: Oct 26 09:16:07.496 CDT: ISAKMP:(1003):deleting node 326021280 error FALSE reason "Informational (in) state 1"

000251: Oct 26 09:16:07.496 CDT: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

000252: Oct 26 09:16:07.496 CDT: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

000253: Oct 26 09:16:07.496 CDT: ISAKMP:(1003):DPD/R_U_THERE received from peer x.x.x.x, sequence 0x547A1F97

000254: Oct 26 09:16:07.496 CDT: ISAKMP: set new node -1773985349 to QM_IDLE

000255: Oct 26 09:16:07.496 CDT: ISAKMP:(1003):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 662754480, message ID = -1773985349

000256: Oct 26 09:16:07.496 CDT: ISAKMP:(1003): seq. no 0x547A1F97

000257: Oct 26 09:16:07.496 CDT: ISAKMP:(1003): sending packet to x.x.x.x my_port 500 peer_port 500 (I) QM_IDLE

000258: Oct 26 09:16:07.496 CDT: ISAKMP:(1003):Sending an IKE IPv4 Packet.

000259: Oct 26 09:16:07.496 CDT: ISAKMP:(1003):purging node -1773985349

000260: Oct 26 09:16:07.496 CDT: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

000261: Oct 26 09:16:07.496 CDT: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

If I am interpreting this correctly, the 1900 completes Phase 1 but never starts up Phase 2.

Sounds like I may need to get a TAC case started.

Ron

Just edited the previous message to put in what the smtp server seems to have deleted.

Ron

Also, in addition to the information I posted above,  I used Cisco doc 63881 to do the MPF work on the ASA_1 and 2.

Ron

When doing a sh crypto ipsec sa on the 1900, everything looks normal.  The only thing that is different is that the #pkts encaps is incrementing but #pkts decaps doesnt.   I trying also using isakmp nat-transversal 3600 and restarting the L2L tunnel but that didnt help.

Ron

Yes, as i mentioned earlier , Nat cause the packet header to change that is why the far end of tunnel will drop packets as it will see that ipsec packets have been altered ( far end doesn't care if the trusted source is manupalating the packet header ). here's a good read on whats going on for you. Check for Nat impact on the ipsec.

http://www.cisco.com/web/about/ac123/ac147/ac174/ac182/about_cisco_ipj_archive_article09186a00800c83ec.html

There might be a way of doing this but I am not aware of it.But I think its easier for you set up L2L on the ASA or get a public ip address subnet for connecting the ASA with 1900 router so that you donot have to NAT the outside ip of the router.

Manish