Yes, I meant 515. Here is my acl:

access-list NONAT permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 192.168.7.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list EDM permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list EDM permit ip 192.168.7.0 255.255.255.0 10.1.0.0 255.255.0.0

So, if I understand you correctly, I need to add the following to my acls at the 501 end and do the same at the 515 end for the corresponding EDM acl for the tunnel:

access-list NONAT permit ip any any

access-list EDM permit ip any any

Is this correct?

Thank you for your response.

Not exactly, if you add those lines to the 515, then all traffic from 515 will go over the tunnel as well, which you don't want right?

I would make it like this...

501

access-list NONAT permit ip 192.168.7.0 255.255.255.0 any

access-list EDM permit ip 192.168.7.0 255.255.255.0 any

515

access-list NONAT permit ip any 192.168.7.0 255.255.255.0

access-list EDM permit ip any 192.168.7.0 255.255.255.0

This way, all traffic from the 501 will cross the tunnel, but only traffic for 192.168.7. will cross the tunnel from the 515.

Did that help?

Sorry, for the delay, fires to put out... I hope to return to this issue later today. I will test and definitely let you know.

Regards,

Tried today. The tunnel came up, but Internet did not work. Here are the commands/changes that I made, with public IP info x/y'd out.

501 config

no access-list NONAT

access-list NONAT permit ip 192.168.7.0 255.255.255.0 any

nat (inside) 0 access-list NONAT

no crypto map newmap 10

no access-list EDM

access-list EDM permit ip 192.168.7.0 255.255.255.0 any

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address EDM

crypto map newmap 10 set peer x.x.x.x

crypto map newmap 10 set transform-set ESP-3DES-SHA

crypto map newmap interface outside

505 config

no crypto map outside_map 10

no access-list FTMAC

access-list FTMAC permit ip any 192.168.7.0 255.255.255.0

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address FTMAC

crypto map outside_map 10 set peer y.y.y.y

crypto map outside_map 10 set transform-set ESP-3DES-SHA

The NAT info at the 505 end is set up for numerous sites, not just the FTMAC site. I did not change those rules.

access-list NONAT permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0

Hello,

This is going to depend on if the 515 is the firewall in which you route all your internet traffic.

Its not going to be be possible with a version 6 pix software. Version 7 lets you re-route traffic back out the interface you came in on.

Unless u can force users to a a proxy on an internal network on the 515, its not going work.

murray, sorry about that, I thought you had that part worked out. As the previous poster said, you will need you 515 to be version 7 for this to work unless you have some proxy on the inside. Here is the document for public internet on a stick.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

Thank you, Acomiskey for the link. Yes, unfortunately we are at v6.3. We have delayed upgrading because we use pptp vpn tunneling and are in the process of evaluating the ASA5500 series. Thanks, for your help.