I recently setup a VPN IPsec tunnel between two PIX devices. I ran into a problem with the remote PIX device when trying to route anything for a 10.x.x.x across the VPN tunnel. Here is the sample config that I was using.

interface Ethernet0

speed 10

duplex full

nameif outside

security-level 0

ip address 213.x.x.1 255.255.255.224

no shut

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.43.1.1 255.255.255.0

no shut

!

access-list inside extended permit icmp any any

access-list inside extended permit ip 10.43.1.0 255.255.255.0 any

access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0

!

nat-control

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 10.43.1.0 255.255.255.0

access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 216.1.1.30 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map Outside_map 20 match address Outside_cryptomap_20

crypto map Outside_map 20 set peer A.B.C.D

crypto map Outside_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

!

management-access inside

dhcpd address 10.43.1.20-10.43.1.199 inside

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd option 3 ip 10.43.1.1

dhcpd enable inside

!

tunnel-group A.B.C.D type ipsec-l2l

tunnel-group A.B.C.D ipsec-attributes

pre-shared-key test

The only way I could get it to work was to replace the following commands

access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0

with specific routes for 10.x.x.x

access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.11.0.0 255.255.0.0

access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.21.0.0 255.255.0.0

access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.51.0.0 255.255.0.0

access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.53.0.0 255.255.0.0

access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.11.0.0 255.255.0.0

access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.21.0.0 255.255.0.0

access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.51.0.0 255.255.0.0

access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.53.0.0 255.255.0.0

Can anyone explain why I couldn't use the permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0 route instead of putting specific routes for 10 dot?