I have central office pix and remote sites that use dhcp from isp. central has static. I am attemping to setup tunnels that allow access between sites. tunnels appear setup, however, i am unable to connect to any thing at the remote sites. I can use remote client but only to central office. Im missing something obvious, im sure. thanks in advance. here are the configs.
central office:
access-list 120 permit ip 192.168.100.0 255.255.x.x.168.88.0 255.255.255.0
access-list outside_access_in permit tcp any any eq www
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 25.x.x.25 255.x.255.255
ip address inside 192.168.100.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclient 192.168.1.215-192.168.1.225
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.100.250 www netmask 255.x.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.x.x.25.25.24 1
floodguard enable
fragment chain 45 inside
fragment timeout 10 inside
sysopt connection permit-ipsec
crypto ipsec transform-set tset esp-des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set tset
crypto map dyn-map 10 ipsec-isakmp dynamic dynmap
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp keepalive 10 5
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup FCIvpnclient idle-time 1800
vpngroup cisco address-pool fcivpnclient
vpngroup cisco dns-server 192.168.100.250
vpngroup cisco wins-server 192.168.100.250
vpngroup cisco default-domain domain.local
vpngroup cisco split-tunnel 120
vpngroup cisco idle-time 1800
vpngroup cisco password ********
vpngroup fcivpnclient idle-time 1800
management-access inside
<<<REMOTE>>>
access-list 120 permit ip 192.168.18.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 192.168.88.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list acl_in deny udp any any eq 1863
access-list acl_in deny tcp any any eq 1863
access-list acl_in permit ip any any
pager lines 24
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.88.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
global (outside) 1 interface
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_in in interface inside
sysopt connection permit-ipsec
crypto ipsec transform-set tset esp-des esp-md5-hmac
crypto map ffmap 10 ipsec-isakmp
crypto map ffmap 10 match address 120
crypto map ffmap 10 set peer 25.25.25.25
crypto map ffmap 10 set transform-set tset
crypto map ffmap interface outside
isakmp enable outside
isakmp key ******** address 25.x.25.25 netmask 255.x.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpdn group pppox request dialout pppoe
vpdn group pppox localname user@isp.net
vpdn group pppox ppp authentication pap
vpdn username user@isp.net password *********
