Thank you very much for your support

Subnets behind ASAs are

172.19.203.0/24

172.19.206.0/24

172.19.209.0/24

And subnet behind Router is   172.19.194.0/24

Below is the related configurations on ASA and router

Be informed that i made configuration on ASA using VPN site-to-site Wizard

ASA Config

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map Outside_map 20 match address Outside_cryptomap_20_1
crypto map Outside_map 20 set peer 78.x.x.41
crypto map Outside_map 20 set transform-set ESP-3DES-MD5
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 78.x.x.41 type ipsec-l2l
tunnel-group 78.x.x.41 ipsec-attributes
pre-shared-key *

access-list Outside_cryptomap_20_1 line 1 extended permit ip 172.19.206.0 255.255.255.0 172.19.194.0 255.255.255.0 (hitcnt=0)
access-list Outside_cryptomap_20_1 line 2 extended permit ip 172.19.209.0 255.255.255.0 172.19.194.0 255.255.255.0 (hitcnt=5)
access-list Outside_cryptomap_20_1 line 3 extended permit ip 172.19.203.0 255.255.255.0 172.19.194.0 255.255.255.0 (hitcnt=0)

access-list Inside_nat0_outbound_V1 extended permit ip 172.19.206.0 255.255.255.0 172.19.194.0 255.255.255.0
access-list Inside_nat0_outbound_V1 extended permit ip 172.19.209.0 255.255.255.0 172.19.194.0 255.255.255.0
access-list Inside_nat0_outbound_V1 extended permit ip 172.19.203.0 255.255.255.0 172.19.194.0 255.255.255.0

nat (Inside) 0 access-list Inside_nat0_outbound_V1

Router config

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxx_2011 address 87.x.x.34
!
crypto isakmp client configuration group xxx
key xxxnet
dns x.x.x.x x.x.x.x
include-local-lan
dhcp server 172.19.194.1
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group xxx
   client authentication list sdm_vpn_xauth_ml_2
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set mytransformset esp-3des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 60
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto map mycryptomap 100 ipsec-isakmp
set peer 87.x.x.34
set transform-set mytransformset
match address 101
!
archive
log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid xxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 78.x.x.65 255.255.255.252 secondary
ip address 172.19.194.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname 24231610@xxx.com
ppp chap password 7 01142D26555A343E244816
crypto map mycryptomap
!
interface BVI1
ip address 10.10.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
!
access-list 1 permit 172.19.194.0 0.0.0.255
access-list 23 permit x.x.x.0 0.0.0.255
access-list 23 permit x.x.x.0 0.0.0.255
access-list 23 permit x.x.x.0 0.0.0.255 log
access-list 23 permit x.x.x.0 0.0.0.255 log
access-list 23 permit x.x.x.0 0.0.0.255
access-list 23 permit 172.19.194.0 0.0.0.255 log
=access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 log
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 log
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 log
access-list 105 deny   ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
access-list 105 deny   ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log
access-list 105 deny   ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log
dialer-list 1 protocol ip permit
snmp-server community private RW
snmp-server community public RO
no cdp run
!
!
route-map nonat permit 10
match ip address 105

NOTE: on router Client VPN configuration is present but we are not using

OK, so the access-list on the router should say only the following lines:

access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255

You will have to clear the tunnel on both sides after modifying the access-list:

clear cry ipsec sa

clear cry isa sa

Also, how are the following subnets connected on the ASA:

172.19.203.0/24

172.19.206.0/24

172.19.209.0/24

Just confirm that there are routes on the ASA for those 3 subnets, and also those 3 subnets knows how to route towards the 172.19.194.0/24 subnet, ie: via the ASA inside interface.

I made the access-list as per your advise on cisco router and try after clearing but the result is same.

We have a core switch in LAN and default gateway of core switch default gw is ASA and ASA default GW is internet. So reuired subnets (172.19.203.0/24,172.19.206.0/24,172.19.209.0/24) are connected in same way .

and also below ACL on ASA shows that packt is being matched from LAN ( 172.19.209.0/24 ) subnet for remote LAN

access-list Outside_cryptomap_20_1 line 2 extended permit ip 172.19.209.0 255.255.255.0 172.19.194.0 255.255.255.0 (hitcnt=17)

and from Remote LAN we also found matches ( router )

permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log (11379 matches)

Please advise

Do i need to debug ACLs ?

It is not the VPN configuration. VPN config is absolutely correct now.

Please share the output of "show cry ipsec sa". If it is still showing the same result as before, ie: no encrypt on the ASA, then you will need to check the path between the ASA, core switch and the end host, and make sure that nothing is blocked.

Can you please confirm that there is no route in the core switch that might cover 172.19.194.0/24 subnet that might be routed to a different gateway, ie: not the ASA?

Now, you will need to troubleshoot routing, etc, as it is not a VPN configuration issue.

Thanks jeniffer again

Routing is very much clear , no specific route for 172.19.194.0/24 in core switch

ASA shows that packets are being encrypted

Still i am unable to ping to the remote site.

Packets are encaps in ASA and DECAPS in router but no result.

Looking for your support.

ASA sh cry ipsec sa

ASA# sh crypto ipsec sa
interface: Outside
    Crypto map tag: Outside_map, seq num: 20, local addr: 87.x.x.4

      access-list Outside_cryptomap_20_1 permit ip 172.19.209.0 255.255.255.0 17
2.19.194.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
      current_peer: 78.x.x.41

      #pkts encaps: 2178, #pkts encrypt: 2178, #pkts digest: 2178
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 2178, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 87.101.181.34, remote crypto endpt.: 78.x.x.41

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 53701EF3

    inbound esp sas:
      spi: 0xCBCB9B5A (3419118426)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 7, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4275000/2356)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x53701EF3 (1399856883)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 7, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4274986/2313)
         IV size: 8 bytes
         replay detection support: Y

Router SH cryp ipsec sa

AamalNet#sh crypto ipsec sa

interface: Dialer0
    Crypto map tag: mycryptomap, local addr 78.x.x.41

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.19.203.0/255.255.255.0/0/0)
   current_peer 87.x.x.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 78.x.x.41, remote crypto endpt.: 87.x.x.4
     path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.19.206.0/255.255.255.0/0/0)
   current_peer 87.101.181.34 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 78.x.x.41, remote crypto endpt.: 87.x.x.34
     path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
   current_peer 87.x.x.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 13801, #pkts decrypt: 13801, #pkts verify: 13801
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 78.x.x.41, remote crypto endpt.: 87.x.x.34
     path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
     current outbound spi: 0xCBCB9B5A(3419118426)

     inbound esp sas:
      spi: 0x53701EF3(1399856883)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 61, flow_id: Motorola SEC 1.0:61, crypto map: mycryptomap
        sa timing: remaining key lifetime (k/sec): (4391344/1604)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCBCB9B5A(3419118426)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 62, flow_id: Motorola SEC 1.0:62, crypto map: mycryptomap
        sa timing: remaining key lifetime (k/sec): (4391384/1604)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: mycryptomap, local addr 78.x.x.41

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.19.203.0/255.255.255.0/0/0)
   current_peer 87.x.x.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 78.x.x.41, remote crypto endpt.: 87.x.x.4
     path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.19.206.0/255.255.255.0/0/0)
   current_peer 87.x.x.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 78..x.x.41, remote crypto endpt.: 87.x.x..34
     path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
   current_peer 87.x.x.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 13801, #pkts decrypt: 13801, #pkts verify: 13801
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 78.x.x.41, remote crypto endpt.: 87.x.x.4
     path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
     current outbound spi: 0xCBCB9B5A(3419118426)

     inbound esp sas:
      spi: 0x53701EF3(1399856883)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 61, flow_id: Motorola SEC 1.0:61, crypto map: mycryptomap
        sa timing: remaining key lifetime (k/sec): (4391344/1604)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCBCB9B5A(3419118426)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 62, flow_id: Motorola SEC 1.0:62, crypto map: mycryptomap
        sa timing: remaining key lifetime (k/sec): (4391384/1604)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Sh ip route in core switch

Gateway of last resort is 172.19.203.1 to network 0.0.0.0

     172.19.0.0/16 is variably subnetted, 16 subnets, 2 masks
S       172.19.217.0/24 [1/0] via 172.19.203.6
C       172.19.215.0/24 is directly connected, Vlan215
C       172.19.214.0/24 is directly connected, Vlan214
C       172.19.213.0/24 is directly connected, Vlan213
C       172.19.211.0/24 is directly connected, Vlan211
C       172.19.210.0/24 is directly connected, Vlan210
C       172.19.209.0/24 is directly connected, Vlan209
C       172.19.208.0/24 is directly connected, Vlan208
C       172.19.207.0/24 is directly connected, Vlan207
C       172.19.206.0/24 is directly connected, Vlan206
C       172.19.203.0/24 is directly connected, Vlan203
S       172.19.193.0/24 [1/0] via 172.19.203.6
S       172.19.124.0/24 [1/0] via 172.19.203.4
S       172.19.110.21/32 [1/0] via 172.19.203.4
S       172.19.106.5/32 [1/0] via 172.19.203.4
S       172.19.110.51/32 [1/0] via 172.19.203.4
S*   0.0.0.0/0 [1/0] via 172.19.203.1

Just look at your router config again, and you have the following 2 lines:

ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload

The first line with ACL 1 is incorrect. You will have to merge the NAT to the second line as follows:

access-list 105 permit ip 172.19.194.0 0.0.0.255 any

Then remove the first line:

no ip nat inside source list 1 interface Dialer0 overload

Then clear the translation:

clear ip nat trans *

VPN tunnel should work after the above changes.

Hope that helps.

Jeniffer ,Thanks again,

I have made changes as advised but same issue

We are getting matches on access list 101 but not on access list 105 for 172.19.194.x to 172.19.209.x .

Please advise

sh cry ipsec sa on router is

local  ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
  PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 13968, #pkts decrypt: 13968, #pkts verify: 13968
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

Access-list on router is now

Extended IP access list 101
    10 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
    30 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log (4 matches)
    50 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log (13995 matches)
Extended IP access list 105
   5 permit ip 172.19.194.0 0.0.0.255 any (18585 matches)
    10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 log
    30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 log
    50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 log

On ASA

ASA# sh crypto ipsec sa
interface: Outside
    Crypto map tag: Outside_map, seq num: 20, local addr: 87.x.x.4

      access-list Outside_cryptomap_20_1 permit ip 172.19.209.0 255.255.255.0 172.19.194.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.19.209.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.19.194.0/255.255.255.0/0/0)
      current_peer: 78.x.x.41

     #pkts encaps: 139, #pkts encrypt: 139, #pkts digest: 139
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 139, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

Jeniffer,

Thank you very much,

I understand , now problem has been resolved.

Thank you very much for your support and cooperation.

Regards