We would like to build an IPSec tunnel to a customer of ours. We have several tunnels and they are working fine, but this one just won't come up.
This is the scenario, we can use 2 ip adresses to connect to the customer, and we use natting to translate some IP ranges from the inside to those 2 ip adresses. When I start a ping from the inside (192.168.40.30 to be exact) to the cust.ip.addres.17 nothing happens.
I've tried debug crypto ipsec/isakmp but they don't show me any info on this tunnel. I don't see anything in the logs about this tunnel either. It seems that he doesn't use the tunnel to try to get to the customer ip.
What am I doing wrong?
Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
access-list crypto_customer remark VPN Tunnel to customer
access-list crypto_customer extended permit ip our.ip.addr.104 255.255.255.254 cust.ip.addr.16 255.255.255.248
access-list nat_customer remark NAT for VPN tunnel to customer
access-list nat_customer extended permit ip 192.168.45.0 255.255.255.0 cust.ip.addr.16 255.255.255.248
access-list nat_customer extended permit ip host 192.168.40.30 cust.ip.addr.16 255.255.255.248
global (outside) 3 our.ip.addr.104
nat (inside) 3 access-list nat_customer
static (inside,outside) our.ip.addr.104 192.168.40.2 netmask 255.255.255.255 dns
static (inside,outside) our.ip.addr.105 192.168.40.67 netmask 255.255.255.255 dns
crypto ipsec transform-set ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 140 match address crypto_customer
crypto map outside_map 140 set pfs
crypto map outside_map 140 set peer PEERIP
crypto map outside_map 140 set transform-set ESP_AES_SHA
crypto map outside_map 140 set security-association lifetime seconds 3600
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
tunnel-group PEERIP type ipsec-l2l
tunnel-group PEERIP ipsec-attributes