I have a pix 501 firewall that I need to setup a site to site ipsec tunnel with a remote peer. The inside subnet on my pix is 192.168.100.0/24. For this discussion purpose, let's say my pix's outside ip is 10.10.10.10 and the remote peer ip is 11.11.11.11.
The tunnel needs are as follows: Local IP of 192.168.100.10 needs to communicate with remote ip of 11.11.12.12
I have to NAT my local ip of 192.168.100.10 to the ip address of 10.10.10.11 before it traverses the tunnel to the remote end.
I have setup the following, but I don't see any indication of phase 2. I see phase 1 completing, but nothing for encaps/decaps when I do a "show cry ipsec sa"
Here is the related config, minus the encryption parameters. please review and see if there are any issues with it, I'm particularly concerned about whether or not I'm NAT'ng correctly.
access-list 101 remark ***Crypto ACL for traffic to remote peer***
access-list 101 permit ip host 10.10.10.11 host 11.11.12.12
access-list VPN_NAT remark ***Policy NAT for VPN traffic***
access-list VPN_NAT permit ip host 192.168.100.10 host 11.11.12.12
static (inside,outside) 10.10.10.11 access-list VPN_NAT 0 0
ip address outside 10.10.10.10 255.255.255.248
ip address inside 192.168.100.1 255.255.255.0
crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address 101
crypto map VPN 10 set peer 11.11.11.11
crypto map VPN 10 set transform-set VPN
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address 11.11.11.11 netmask 255.255.255.255