guys,

i am having problem with the vpn setup. i am able to ping from a to b, but no the other way around. i have checked my access-list and vpn setup, and also reboot the unit, and no luck. any idea?

when i look at the access-list on site b, is shows that site a is hitting site b. but on side a is totally noting.

thank you...

site a:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address YYY no-xauth
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
!
crypto map site-to-site 1 ipsec-isakmp
description connection to queens office
set peer YYY

set transform-set vpnset
match address splittunnel
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip addressYYY 255.255.255.240
ip access-group 104 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
crypto map site-to-site

ip nat inside source list nat interface FastEthernet0/0 overload

ip access-list extended nat
deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
deny   ip 10.1.10.0 0.0.0.3 192.168.10.0 0.0.0.255
deny   ip 10.1.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
permit ip 10.1.1.0 0.0.0.255 any
permit ip 10.1.10.0 0.0.0.252 any
ip access-list extended splittunnel
permit ip 192.168.20.0 0.0.0.255 any
permit icmp any any

access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 192.168.20.0 0.0.0.255 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 permit ip 216.211.192.128 0.0.0.127 any
access-list 104 permit ip 72.248.147.168 0.0.0.7 any
access-list 104 permit udp any any eq isakmp
access-list 104 permit esp any any
access-list 104 permit ahp any any
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit udp host 63.203.35.55 eq domain any
access-list 104 permit udp host 208.67.222.222 eq domain any
access-list 104 permit udp host 4.2.2.2 eq domain any
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip any any
===================================================================================

site b

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address YYY no-xauth
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map site-to-site 1 ipsec-isakmp
description connecction to manhattan office
set peer YYY
set transform-set myset
match address splittunnel

interface FastEthernet0/0
description $FW_OUTSIDE$
ip address YYY
ip access-group aclin in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
crypto map site-to-site

ip nat inside source list nat interface FastEthernet0/0 overload

ip access-list extended aclin
deny   ip 10.1.10.0 0.0.0.3 any
deny   ip 10.1.1.0 0.0.0.255 any
deny   ip 192.168.10.0 0.0.0.255 any
permit ip 216.211.192.128 0.0.0.127 any
permit ip 72.248.202.112 0.0.0.15 any
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit udp any any eq non500-isakmp
permit udp host 63.203.35.55 eq domain any
permit udp host 208.67.222.222 eq domain any
permit udp host 4.2.2.2 eq domain any
permit icmp any any unreachable
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip host 255.255.255.255 any
deny   ip host 0.0.0.0 any
deny   ip any any
ip access-list extended nat
deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
deny   ip 10.1.10.0 0.0.0.3 192.168.20.0 0.0.0.255
deny   ip 10.1.1.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
permit ip 10.1.1.0 0.0.0.255 any
permit ip 10.1.10.0 0.0.0.3 any
ip access-list extended splittunnel
permit ip 192.168.10.0 0.0.0.255 any
permit icmp any any