Cisco ASA - L2L VPN setup - Dynamic IP - Static IP - Packet Tracer

I am trying to configure an L2L VPN between two 5505s running 8.2. I think I have all the settings correct but I am having trouble confirming. I am trying to confirm that this setup will work by using packet tracer. Here is the config of the Dynamic side with the packet tracer output after. I know having the other side's config listed is good too but I know that is correct. It isn't connecting and I've noticed that the packet tracer output drops the packet at encrypt, and the access-list for nonat isn't incrementing but the VPN "interesting traffic" access-list is.

Dynamic IP side:

access-list nonat extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list VPN extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.0.0 255.255.255.0

crypto ipsec transform-set VPNSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address ASPEN_VPN
crypto map VPNMAP 10 set peer IPofPEER
crypto map VPNMAP 10 set transform-set VPNSET
crypto map VPNMAP interface outside

crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

crypto isakmp nat-traversal 10

tunnel-group IPofPEER type ipsec-l2l
tunnel-group IPofPEER ipsec-attributes
 pre-shared-key *****

Output of show access-list:

access-list nonat; 1 elements; name hash: 0x13e041bf
access-list nonat line 1 extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=0) 0x22d25f22
access-list VPN; 1 elements; name hash: 0x5ff33dc8
access-list VPN line 1 extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=62) 0xe7f8523d

Packet Tracer Output:
packet-tracer input inside icmp 10.10.0.10 8 0 10.1.1.7$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97611f0, priority=0, domain=inspect-ip-options, deny=true
        hits=78459, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9760e68, priority=66, domain=inspect-icmp-error, deny=false
        hits=2431, user_data=0xc9760d50, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 10.10.0.0 255.255.255.0 outside 10.1.1.0 255.255.255.0
    NAT exempt
    translate_hits = 12, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc98fbc38, priority=6, domain=nat-exempt, deny=false
        hits=12, user_data=0xc98001d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=10.1.1.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.10.0.0 255.255.255.0
  match ip inside 10.10.0.0 255.255.255.0 outside any
    dynamic translation to pool 1 (66.31.98.174 [Interface PAT])
    translate_hits = 76372, untranslate_hits = 4227
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97e1cf0, priority=1, domain=nat, deny=false
        hits=77803, user_data=0xc97e1c30, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.10.0.0 255.255.255.0
  match ip inside 10.10.0.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97648b0, priority=1, domain=host, deny=false
        hits=81173, user_data=0xc97bb128, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc97ba9c8, priority=0, domain=host-limit, deny=false
        hits=80447, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xc97fdb30, priority=70, domain=encrypt, deny=false
        hits=32, user_data=0x0, cs_id=0xc6b80f50, reverse, flags=0x0, protocol=0
        src ip=10.10.0.0, mask=255.255.255.0, port=0
        dst ip=10.1.1.0, mask=255.255.255.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


Thoughts?
farroarAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

anoopkmrCommented:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_bypassing.html

Access list hit counts, as shown by the show access-list command, do not increment for NAT exemption access lists.


i assume its a type error,, otherwise correct it
access-list VPN extended permit ip 10.10.0.0 255.255.255.0 10.1.1.0 255.255.255.0
crypto map VPNMAP 10 match address ASPEN_VPN


also show the  output of  " show crypto ipsec sa peer IPofPEER "  from the dynamic side

its better to show the  static end  config also .
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
farroarAuthor Commented:
Seems the type error comment pointed me in the right direction. I have it setup as a static currently but will be converting it to dynamic once the static side has some configuration changes made to it.

Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.