Hello Azrim
First of all, where did you run the debug process? The encryption and decryption numbers you shared, are those on the same device? On the ASA 5505x? This will help us to further pinpoint the location of the problem.
I suggest you run the same debugs on both ends to see where you get encrypts and where you get decrypts. We will then be able to see if the pings reach the remote device or not.
In any case, it is a good assumption to suspect NAT, but you will have to do the debugs to verify that and see what needs to be changed.
Without knowing more about the diagnostics you have collected, I can give you some general guidelines that may help in performing your troubleshooting:
- Check NAT Exemption: Make sure that you’ve set up NAT exemption correctly on both sides. The traffic that is going through the tunnel should be exempted from NAT.
- Check Access Lists: Verify that the access lists used in the crypto map of both firewalls are mirror images of each other. They should permit the traffic from the local network to the remote network and vice versa.
- Check Routing: Make sure that the routing is set up correctly. Both firewalls should know how to reach the subnets on the other side of the tunnel.
- Check IPsec Parameters: Verify that the IPsec parameters (IKE version, encryption and hash algorithm, Diffie-Hellman group, and lifetime) match on both sides. It is likely that this is OK since your tunnel is up, however, it’s due diligence…
- Check Tunnel Group: Check the tunnel group and group policy settings on the FPR 2110. Make sure that the correct settings are applied for the tunnel.
- Debugging: Enable debugging on both devices to get more information about what’s happening. Use the ‘debug crypto ipsec’ and ‘debug crypto isakmp’ commands.
Let us know how you get along, and if you need further help.
I hope this has been helpful!
Laz