I have central office pix and remote sites that use dhcp from isp. central has static. I am attemping to setup tunnels that allow access between sites. tunnels appear setup, however, i am unable to connect to any thing at the remote sites. I can use remote client but only to central office. Im missing something obvious, im sure. thanks in advance. here are the configs.
access-list 120 permit ip 192.168.100.0 255.255.x.x.168.88.0 255.255.255.0
access-list outside_access_in permit tcp any any eq www
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 25.x.x.25 255.x.255.255
ip address inside 192.168.100.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclient 192.168.1.215-192.168.1.225
BTW, do you use your remote PIX to connect your remote access client@vpn client, and from there, you use the same PIX to connect to Central PIX? Or Central PIX handle both remote access vpn client and remote pix?
your phase1 config looks ok (provided pre-shared keys match) and is ok for clients & L2L to use the same policy.
on phase 2 your ACLS should be mirrors of each other and are not - remote has 2 lines, central has one. Nevertheless it should still work for that one line in common.
crypto map looks ok.
I believe "isakmp key ******** address 0.0.0.0 netmask 0.0.0.0" would be used only by L2L (not clients, they'd use "vpngroup cisco password ********") and you may need to turn off mode config & uauth off for L2L:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...