Thank for your advice. Now think getting more weird. Even with the following config I still suffering the same issue. Wondering anything to do after I establish the site-to-site VPN or VPN client. What do you think?

I did a show xlate and the static map is there. However, the server that hold static map can't even surf the net! :P

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password KX/2yDvEiODIteF/ encrypted

passwd ggXVcePzJwQfhvVL encrypted

hostname Mitsui

domain-name Mitsuisoko.com

clock timezone MYT 8

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

object-group service Internet_access tcp

port-object eq ftp

port-object eq pop3

port-object eq ftp-data

port-object eq https

port-object eq www

port-object eq smtp

port-object eq uucp

port-object eq pcanywhere-data

port-object range 1433 1433

port-object range 9000 9002

object-group network VPN_users

description This group included all the addresses of remote VPN site as well a

s VPN dial-up clients. 192.168.1.0 (Pasir Gudang), 192.168.2.0 (Melaka), 192.168

.3.0 (Dial-up VPN clients)

network-object 192.168.1.0 255.255.255.0

network-object 192.168.2.0 255.255.255.0

network-object 192.168.3.0 255.255.255.0

object-group network Servers

network-object 192.168.0.1 255.255.255.255

network-object 192.168.0.100 255.255.255.255

network-object 192.168.0.33 255.255.255.255

access-list inside_access_in permit ip host 192.168.0.2 any

access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq domain

access-list inside_access_in permit udp 192.168.0.0 255.255.255.0 any eq domain

access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any object-group Internet_access

access-list inside_access_in permit icmp any any

access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_cryptomap_60 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_cryptomap_40 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_access_in permit ip any host 202.174.143.45

access-list outside_access_in permit icmp any any

access-list split permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging monitor errors

logging trap debugging

logging host inside 192.168.0.2

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 202.174.143.42 255.255.255.248

ip address inside 192.168.0.25 255.255.255.0

ip verify reverse-path interface outside

ip audit name Custom_attack attack action alarm drop reset

ip audit name Custom_infor info action alarm

ip audit info action alarm

ip audit attack action alarm drop reset

ip local pool msoko_client 192.168.3.1-192.168.3.254

pdm location 192.168.0.2 255.255.255.255 inside

pdm location 202.187.49.106 255.255.255.255 outside

pdm location 192.168.0.100 255.255.255.255 inside

pdm location 192.168.0.249 255.255.255.255 inside

pdm location 192.168.0.248 255.255.255.248 outside

pdm location 192.168.2.0 255.255.255.0 outside

pdm location 192.168.1.0 255.255.255.0 outside

pdm location 192.168.0.1 255.255.255.255 inside

pdm location 202.9.101.56 255.255.255.255 outside

pdm location 192.168.0.33 255.255.255.255 inside

pdm location 219.93.68.178 255.255.255.255 outside

pdm location 219.93.68.130 255.255.255.255 outside

pdm location 192.168.3.1 255.255.255.255 outside

pdm location 192.168.3.1 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.248 inside

pdm location 202.174.143.44 255.255.255.255 outside

pdm location 202.174.143.45 255.255.255.255 outside

pdm group VPN_users outside

pdm group Servers inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 192.168.0.0 255.255.255.0 0 0

static (inside,outside) 202.174.143.45 192.168.0.2 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 202.174.143.41 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 202.187.49.106 255.255.255.255 outside

http 192.168.0.2 255.255.255.255 inside

http 192.168.0.100 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt noproxyarp outside

sysopt noproxyarp inside

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map dymanic 10 set transform-set ESP-DES-MD5

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set peer 219.93.68.178

crypto map outside_map 40 set transform-set ESP-DES-MD5

crypto map outside_map 40 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set peer 219.93.68.130

crypto map outside_map 60 set transform-set ESP-DES-MD5

crypto map outside_map 60 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map outside_map 80 ipsec-isakmp dynamic dymanic

crypto map outside_map client configuration address initiate

crypto map outside_map client configuration address respond

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 219.93.68.178 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 219.93.68.130 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local msoko_client outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 600

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash md5

isakmp policy 30 group 1

isakmp policy 30 lifetime 600

vpngroup msoko address-pool msoko_client

vpngroup msoko wins-server 192.168.1.1 192.168.1.2

vpngroup msoko default-domain mitsuisoko

vpngroup msoko idle-time 1800

vpngroup msoko password ********

telnet 192.168.0.2 255.255.255.255 inside

telnet 192.168.0.100 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

I have run into this a few times with PIX Static mappings. What I have ended up doing in the past is reboot the PIX and the ISP router at the same time. I think it has something to do with the MAC Address mappings on the ISP router. Rebooting the PIX may not be necessary, but I figure it won't hurt while the ISP router is reloading. If you have a DMZ, you may just want to enter clear xlate as the ISP router reloads.

Wolfrikk,

I 'll try that. Will let u know the result. thank.