Hi folks-

upgraded my 525 to OS 6.3 and PDM v3.

I've set up a site-to-site vpn with IKE, but my opposite side tells me that they can see my 'internal' address range. Slightly worrying- I can't see why. Shouldn't it be natting out everything on my external IP?

Here's my config:

_____________________________________________________

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

enable password

passwd

hostname

domain-name

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name def.def.2.0 encryptdomain

access-list inside_outbound_nat0_acl permit ip abc.1.100.0 255.255.255.0 encryptdomain 255.255.255.0

access-list outside_cryptomap_20 permit ip abc.1.100.0 255.255.255.0 encryptdomain 255.255.255.0

access-list inside_access_in remark outbound rule for vpn

access-list inside_access_in permit tcp any encryptdomain 255.255.255.0

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

ip address outside ghi.144.184.30 255.255.255.192

ip address inside abc.1.100.235 255.255.255.0

no ip address intf2

no ip address intf3

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

pdm location abc.1.100.240 255.255.255.255 inside

pdm location encryptdomain 255.255.255.0 outside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 10 ghi.144.184.131

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 ghi.144.184.11 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http abc.1.100.240 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer jkl.113.57.28

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address jkl.113.57.28 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

_____________________________________________________

"abc" denotes my internal lan

"def" denotes our partners internal lan

"ghi" is my pix outside interface

"jkl" is the external interface of their Checkpoint box- running 4.1, on Windows.

If anyone wants to take a wee look and make suggestions, fire away.

Thanks-

0r8it