Hi,

I recently setup a site-site vpn between a pix 515 running 6.3(5) and a juniper netscreen. The tunnel was configured to only allow communication between a two hosts, one on each end of the tunnel. Then the client wanted to move the host behind the pix to their dmz. We made the appropriate changes to the nat0 and match address list acls, but now it stopped working.

When I do a sh crypto ipsec sa, I get decaps and decrypt packets, but no encaps and encrypt packets. A sh isakmp sa shows an active tunnel between the two endpoints.

I'm not sure where to look from here. Haven't found anything on google.

Here's the current output from sh crypto ipsec sa:

local ident (addr/mask/prot/port): (192.168.210.50/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.1.0.36/255.255.255.255/0/0)

current_peer: a.b.c.d:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 38, #pkts decrypt: 5741, #pkts verify 5741

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 5703

local crypto endpt.: z.y.x.w, remote crypto endpt.: a.b.c.d

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Thanks!

-Jeff