EXISTING CONFIG PIX Version 7.2(1) ! hostname pixfirewall domain-name default.domain.invalid names ! interface Ethernet0 description to the outside nameif outside security-level 0 ip address 2.100.211.40 255.255.255.0 ospf cost 10 ! interface Ethernet1 description internal office nameif internal_net security-level 100 ip address 10.11.28.100 255.255.255.0 ospf cost 10 dns server-group DefaultDNS domain-name default.domain.invalid same-security-traffic permit intra-interface object-group network CoLo network-object 10.0.10.0 255.255.255.0 network-object 10.0.20.0 255.255.255.0 network-object 10.0.30.0 255.255.255.0 network-object 10.0.40.0 255.255.255.0 network-object 10.0.50.0 255.255.255.0 access-list outside_20_cryptomap extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo access-list outside_nat0_outbound extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo access-list outside_access_in extended permit ip any 2.100.211.40 255.255.255.252 log access-list outside_access_in extended permit icmp 10.0.10.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log access-list outside_access_in extended permit icmp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log access-list outside_access_in extended permit icmp 10.0.30.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log access-list outside_access_in extended permit icmp 10.0.40.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log access-list outside_access_in extended permit icmp 10.0.50.0 255.255.255.0 10.11.28.0 255.255.255.0 echo-reply log access-list outside_access_in extended permit tcp 10.0.20.0 255.255.255.0 10.11.28.0 255.255.255.0 eq smtp log access-list outside_access_in extended permit tcp object-group CoLo 10.11.28.0 255.255.255.0 eq 1111 log access-list internal_net_access_in extended permit ip 10.11.28.0 255.255.255.0 object-group CoLo nat (outside) 0 access-list outside_nat0_outbound access-group outside_access_in in interface outside access-group internal_net_access_in in interface internal_net route outside 0.0.0.0 0.0.0.0 2.100.211.1 1 no sysopt connection permit-vpn crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set peer 6.45.82.108 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group 6.45.82.108 type ipsec-l2l tunnel-group 6.45.82.108 ipsec-attributes pre-shared-key * DON’T KNOW THE BELOW LINES ARE FOR (doesn't seem to be applied anywhere) class-map inspection_default match default-inspection-traffic ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global WHAT I ADDED THAT DID NOT WORK Tested by ping to 209.131.36.158 (yahoo) and ssh and telnet to a couple of public addresses that works using another connection. nat (inside) 1 0 0 global (outside) 1 2.100.211.40 access-list internal_net_access_in extended permit ip any any access-list outside_access_in extended permit icmp any any echo-reply log