Hi Patrick,

Below is my full config, I have no servers on this remote site so the only NAT is a PAT to a global addr.

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password MMMMMMMMMMMMMMMMMM encrypted

passwd NNNNNNNNNNNNNNNNN encrypted

hostname MMMMMMM

domain-name NNNNNNN.org

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_vpn permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list acl_inside permit tcp 192.168.2.0 255.255.255.0 any eq www

access-list acl_inside permit tcp 192.168.2.0 255.255.255.0 any eq lotusnotes

access-list acl_inside permit icmp 192.168.2.0 255.255.255.0 any

access-list acl_inside permit tcp host 192.168.2.35 any eq ssh

access-list acl_inside permit tcp 192.168.2.0 255.255.255.0 any eq domain

access-list acl_inside permit udp 192.168.2.0 255.255.255.0 any eq domain

access-list acl_inside permit tcp 192.168.2.0 255.255.255.0 any eq 1863

access-list acl_inside permit tcp 192.168.2.0 255.255.255.0 any eq https

access-list acl_outside permit icmp any any

access-list acl_outside permit tcp 192.168.2.0 255.255.255.0 any eq https

pager lines 24

logging on

logging trap debugging

logging host inside 192.168.2.35

mtu outside 1500

mtu inside 1500

ip address outside XXX.XXX.XXX.XXX 255.255.255.248

ip address inside 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no pdm history enable

arp timeout 14400

global (outside) 1 XXX.XXX.XXX.XXX

nat (inside) 0 access-list acl_vpn

nat (inside) 1 192.168.2.0 255.255.255.0 0 0

access-group acl_outside in interface outside

access-group acl_inside in interface inside

outbound 1 deny 192.168.2.0 255.255.255.0 80 ip

apply (inside) 1 outgoing_src

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto map mymap 1 ipsec-isakmp

crypto map mymap 1 match address acl_vpn

crypto map mymap 1 set peer 2xxx.xxx.xxx.xxx

crypto map mymap 1 set transform-set Lhoongset

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 3600

telnet 192.168.2.35 255.255.255.255 inside

telnet timeout 5

ssh xxx.xxx.xxx.xxx 255.255.255.255 outside

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.2.35 255.255.255.255 inside

ssh timeout 60

console timeout 0

dhcpd address 192.168.2.100-192.168.2.199 inside

dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

username pixXXX password yyyyyyyyy encrypted privilege 2

terminal width 80

Cryptochecksum:yyyyyyyyyyyyyyyyyyyy

: end

Please assist.

Cheers