Hello, Thanks a lot for all the info, you guys are great!!! Problem is solved by doing: 1. Use PIX internal ip address as match address 2. Create nonat for traffic to central router I have 2 more questions (sorry, couldn't find answer) 1. How do I do redundancy between branch office (2 PIXs) and central office (2 7100s)? CCO only gives sample for routers, not PIX 2. At branch office (only 1 IP address), there is a web server behind PIX, how do I do traffic forwarding? Thanks again. Jim > Jim Bond <[EMAIL PROTECTED]> wrote: > Hello, > > Let me re-describe the situation: > > Central office 7100 router, site office PIX (NAT > overload 1 public ip address), IPSec tunnel is > establised, clients at site office can't logon NT > domain but can do everthing else. > > Today, I replaced the PIX with a 3620 router (same > IPSec setup), everything works fine. Clients can > logon > NT domain. > > I think that proves 1)I don't have naming issue 2) > PAT > works with IPSec. I don't understand why PIX > wouldn't > work. Please see my PIX config. > > Thanks in advance. > > > Jim > > PIX Version 5.2(3) > access-list 100 permit ip host 24.176.210.204 > 167.191.0.0 255.255.0.0 > ip address outside 24.176.210.204 255.255.255.0 > ip address inside 10.1.1.1 255.255.255.0 > global (outside) 1 interface > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > route outside 0.0.0.0 0.0.0.0 24.176.210.1 1 > sysopt connection permit-ipsec > crypto ipsec transform-set IPSEC esp-des > esp-md5-hmac > crypto map newmap 10 ipsec-isakmp > crypto map newmap 10 match address 100 > crypto map newmap 10 set peer 169.193.13.2 > crypto map newmap 10 set transform-set IPSEC > crypto map newmap interface outside > isakmp enable outside > isakmp key ******** address 169.193.13.2 netmask > 255.255.255.255 > isakmp identity hostname > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash md5 > isakmp policy 10 group 1 > isakmp policy 10 lifetime 86400 > dhcpd address 10.1.1.101-10.1.1.110 inside > dhcpd dns 24.1.64.33 24.1.64.34 > dhcpd wins 169.193.28.60 169.193.148.25 > dhcpd lease 3600 > dhcpd domain dhcp.lamrc.com > dhcpd enable inside > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Shopping - Thousands of Stores. Millions of > Products. > http://shopping.yahoo.com/ > > _______________________________________________________ > To unsubscribe from the CCIELAB list, send a message > to > [EMAIL PROTECTED] with the body containing: > unsubscribe ccielab > > > ____________________________________________________________________ > Get your own FREE, personal Netscape WebMail account > today at http://home.netscape.com/webmail __________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
