Dynamic IPsec between a statically assigned ASA and Dynamic IOS router

I have configured a 2811 router to bring up a IPsec VPN tunnel between it and my corporate ASA. I followed cisco document 81883, but it is not working. from the debugs on the ASA and router it doesn't even look like the router is trying to establish phase1. Am I missing something.....


Celebration2811(config)#do sh run
Building configuration...


Current configuration : 1860 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Celebration2811
!
boot-start-marker
boot system flash c2800nm-advipservicesk9-mz.124-24.T3.bin
boot-end-marker
!
logging message-counter syslog
no logging console
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.30.39.2 10.30.39.20
!
ip dhcp pool Celebration
   network 10.30.39.0 255.255.255.0
   dns-server 10.1.200.108 10.1.200.16 10.1.200.45
   netbios-name-server 10.1.200.17
   default-router 10.30.39.1
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 10.10.10.10
!
!
crypto ipsec transform-set asa-set esp-3des esp-md5-hmac
!
crypto map asa 10 ipsec-isakmp
 set peer 10.10.10.10
 set transform-set asa-set
 match address 101
!
!
!
!
!
!
!
interface FastEthernet0/0
 description outside DSL service
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map asa
!
interface FastEthernet0/1
 description Internal Network
 ip address 10.30.39.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
no ip http secure-server
!
!
ip nat inside source list 110 interface FastEthernet0/0 overload
!
access-list 101 permit ip 10.30.39.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.30.39.0 0.0.0.255 any
!
!
!
!
route-map nonat permit 10
 match ip address 110
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
scheduler allocate 20000 1000
end
dtadminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dtadminAuthor Commented:
i modified ACL 110 as follows:

access-list 110 deny   ip 10.30.39.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.30.39.0 0.0.0.255 any
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.