i need output of "show crypto ipsec sa" pls

Sorry.

interface: outside

Crypto map tag: IPSEC, local addr. 12.206.137.5

local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)

current_peer: 216.203.117.82:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 659, #pkts encrypt: 659, #pkts digest 659

#pkts decaps: 462, #pkts decrypt: 462, #pkts verify 462

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 124, #recv errors 0

local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 793ff99e

inbound esp sas:

spi: 0xcbd5b096(3419779222)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: IPSEC

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x793ff99e(2034235806)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: IPSEC

sa timing: remaining key lifetime (k/sec): (4607996/1929)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (216.203.117.85/255.255.255.255/0/0)

current_peer: 216.203.117.82:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 2691, #pkts encrypt: 2691, #pkts digest 2691

#pkts decaps: 2601, #pkts decrypt: 2601, #pkts verify 2601

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 12.206.137.5, remote crypto endpt.: 216.203.117.82

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: c6d3ea5c

inbound esp sas:

spi: 0x55d659c5(1440111045)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: IPSEC

sa timing: remaining key lifetime (k/sec): (4607097/1917)

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xc6d3ea5c(3335776860)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: IPSEC

sa timing: remaining key lifetime (k/sec): (4607743/1890)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

If you see encrypts and decrypts these counters are incrementing so i would assume traffic to 216.203.117.85 is going through .

local ident (addr/mask/prot/port): (10.5.5.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (216.203.117.85/255.255.255.255/0/0)

current_peer: 216.203.117.82:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 2691, #pkts encrypt: 2691, #pkts digest 2691

#pkts decaps: 2601, #pkts decrypt: 2601, #pkts verify 2601

DNS traffic is not going through.

I can ping a device by name & it fails as unresolved name. I can ping same device by IP address & it works fine. Devices on the PIX side do not see 216.203.117.85 as being the 10.2.1.6 that they are requesting from.

SO close, but since 10.2.1.6 is such a key server in my environment I have to get this last piece working, please.

As for DNS is concerned we will have to enable DNS traffic for .85 on acl 101 on router

access-list 101 permit ip 10.5.5.0 0.0.0.255 host 216.203.117.85

To add this command remove the complete access list 101 :

First remove it from interface:

interface FastEthernet0/1

no ip access-group 101 in

no access-list 101

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp host 216.203.122.200 eq domain host 216.203.117.82

access-list 101 permit udp host 216.203.115.234 eq domain host 216.203.117.82

access-list 101 permit tcp any host 216.203.117.83 eq 1494

access-list 101 permit tcp host 66.211.4.130 host 216.203.117.84 eq 1433

access-list 101 permit tcp host 66.211.4.130 host 216.203.117.83 eq 1433

access-list 101 permit tcp host 147.202.24.152 host 216.203.117.84 eq 1433

access-list 101 permit tcp host 147.202.24.152 host 216.203.117.83 eq 1433

access-list 101 permit tcp any host 216.203.117.83 eq ftp

access-list 101 permit tcp any host 216.203.117.83 eq 5360

access-list 101 permit tcp any host 216.203.117.83 eq 5366

access-list 101 permit tcp any host 216.203.117.83 eq 3389

access-list 101 permit tcp any host 216.203.117.83 eq 5365

access-list 101 permit tcp any host 216.203.117.83 eq 5364

access-list 101 permit tcp any host 216.203.117.83 eq 5361

access-list 101 permit ip 10.5.5.0 0.0.0.255 host 216.203.117.85

access-list 101 permit tcp any host 216.203.117.85 eq smtp

access-list 101 permit tcp any host 216.203.117.85 eq 389

access-list 101 permit esp any host 216.203.117.82

access-list 101 permit udp any host 216.203.117.82 eq 500

access-list 101 permit tcp any host 216.203.117.85 eq www

access-list 101 permit tcp any host 216.203.117.85 eq 5362

access-list 101 permit tcp any host 216.203.117.85 eq 443

access-list 101 permit ip 10.5.5.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 101 deny ip 10.2.1.0 0.0.0.255 any

access-list 101 permit icmp any host 216.203.117.82 echo-reply

access-list 101 permit icmp any host 216.203.117.82 time-exceeded

access-list 101 permit icmp any host 216.203.117.82 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any

interface FastEthernet0/1

ip access-group 101 in

No difference, still can not ping by name from remote PIX side device.

Hey, can you create a new post with only this DNS problem?

Corrected!try now

access-list 111 permit ip host 216.203.117.85 10.5.5.0 0.0.0.255