I use the ADSM for setting the VPN, I think it automatically processed and should be default setting.

Do you have any format of the statement?

I mean such as:

Site a, INF outside, allow, Site A IP / Site B IP.

Thanks Very Much

One of my firewall is 5510 K9 with security license, I can not disable the PFS on that Firewall, I think it set to DFG 2 by default.

But I have tested to remove the Nat Exemption on both side, still nothing changed.

Sorry, I am a beginner, thanks for your patient.

Thanks! Experts!

can u do on the fire wall

show run

and put the config here

Suppose I want to post the running config here,

But , today, I found that, When I re-config a VPN (one end is using cisco 5510, one end is using netscreen firewall), The VPN I think has been established, But It is so strange, I can ping some servers / pc from netscreen 's network to Cisco's network, but some can not ping, I can reach some web server's page in the cisco's network, but some can not.

But the access-rule I already set permit all the communication between two site's device.

What do you think?

sometime,

when I do the ping, the ping was request timeout, But in the log of the 5510, I saw the build icmp from the log, then teardown it.

But no reasons and no errors.

Do you think it is caused by the switch, not the rule of firewall?

And sometime,

When I do some ping to some of the servers in 5510's network, it displayed a message such as no translation from IP of the src and dst IP.

But suppose two networks are fully permitted.

Please, help me.

Thanks !!!

Thanks,

I already set (src)Any (dst)Any IP on outside interface.

It seems still not work.

can you post the configs of both so we can see the whole configuration?

Finally, I do a command of "show crypto ipsec sa" and "show crypto isakmp"

Attached the mentioned config files of two ASA 5510.

Current status:

The VPN tunnel I think has already set up. I have some web sites on the 217's sub network (10.1.1.0) and suppose 202's sub network(192.168.96.0)'s client can browse it.

However, some of the web sites on 10.1.1.0 can display but some can not.

In the Firewall Log, I saw the no error messages but automatic tear down the sessions.

I am now wondering the problems were caused from security level of the interfaces?

Because I think the access-lists did not have problems.

(PS: the security level of outside and inside interface also were 100, Both Firewall, all sub servers are connected to a 2960 switch which connected to the inside interface of the firewall)

I also attached the "show running-config" of the 217 network 's Firewall. 217 contains some Web Servers in "Inside" Interface.

Please advise, Thanks

Sorry, the past post has not attach the "show" config file.

nameif WebServer), because it is not relate to my current problems. Thanks>

Finally, I do a command of "show crypto ipsec sa" and "show crypto isakmp"

Attached the mentioned config files of two ASA 5510.

Current status:

The VPN tunnel I think has already set up. I have some web sites on the 217's sub network (10.1.1.0) and suppose 202's sub network(192.168.96.0)'s client can browse it.

However, some of the web sites on 10.1.1.0 can display but some can not.

In the Firewall Log, I saw the no error messages but automatic tear down the sessions.

I am now wondering the problems were caused from security level of the interfaces?

Because I think the access-lists did not have problems.

(PS: the security level of outside and inside interface also were 100, Both Firewall, all sub servers are connected to a 2960 switch which connected to the inside interface of the firewall)

I also attached the "show running-config" of the 217 network 's Firewall. 217 contains some Web Servers in "Inside" Interface.

Please advise, Thanks