Hi, I have been working with Cisco and the vendor for 2 weeks on this.II am hoping the issue we are seeing will ring a bell with someone.

Some background information:

I am working a vendor who requires a site to site tunnel.  My network currently has 1 site to site with the vendor using a Juniper SSG which works without incident.  I am transitioning to Cisco 2811 routers and am set up a new tunnel with the vendor for the 2800 using another public ip in my address range.  So my network has 2 tunnels with the vendor who is using a Cisco VPN concentrator.  The hosts behind the tunnel use Public IP addresses 20x.x.x.x.

My Cisco router will create a tunnel, but I cannot get to the hosts on the vendor's network through the Cisco 2811, but I can through the Juniper tunnel.  The Vendor sees my packets and the vendors' host replies to them and sends them to tunnel.  They never reach the outside interface on my Cisco router.

I am NATing out of the outside interface so that my endpoint and peer are the same IP.  (note, I tried doing a static NAT and having a the tunnel address and my host address different to the same result.  Cisco confirmed that I do not require 2 different addresses and this setup has been successful with creating other successful tunnels toa  different network.)

I had tested this setup on a staging network before moving the router to the production network and my Cisco 2811 was able to create the tunnel and ping the inside host.  Once we moved the Router to the colo, we can no longer ping the host behind the vendor's tunnel.   The vendor has assured me that the tunnel setup is exactly the same and that he sees his host sending traffic to the tunnel.  The vendor does seem well versed with the VPN concentrator and successfully manages connections for many clients.

The vendor has a second VPN concentrator on a separate network and I can connect to that VPN concentrator successfully from the Cisco 2811 that is having issues with the Concentrator that also has a tunnel with the Juniper.

Here is what we have done so far:

1) Confirm the 2811 config with Cisco support.  The tunnel is up.  sh cyrpto ipa sa shows the tunnel up.
2) Enable Nat-T on the VPN Contrator side of the tunnel
3) Confirm that the trafiic flows properly from  a tunnel on another network (which would indicate the Cisco config is ok)
4) Successfully tunnel and reach hosts on a different config
5) Confirm all tunnel settings with the vendor
6) The vendor confirmed that the host on his side has no routes and points to the default gateway
7) Rebuild the tunnel from scratch
8) Confirm with our ISP that no routes are diverting the traffic else where.  My lSP gateway sees my outside address as directly connected. 
9) Confirm that the ACL matches with the vendor
10) I can not pull down the Juniper as it is in production and in constant use

Is there any known issue with using a VPN concentrator to connect to 2 tunnels on the same /28 network range? 

Any ideas or options are welcome.  I have had countless webex sessions with Cisco, but do not have access to the Vendor's concentrator.  I can pass along any suggestions. 

Here is some code


crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2


crypto ipsec transform-set mytrans esp-aes esp-sha-hmac

crypto dynamic-map dynmap 30
set transform-set myset


crypto isakmp key <key here> address <vendor endpoint ip> no-xauth

interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address <my outside> 255.255.255.240
ip access-group 107 in
ip access-group 106 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map mymap

logging Access-lists (applied to outside to get a sense of what is coming in.  No esp traffic comes in, there are never hits)

access-list 106 permit esp host <my public IP>  host <vendor VPN endpoint> log
access-list 106 permit ip any any
access-list 107 permit esp host <vendor VPN host (is public IP)> host <my public IP> log
access-list 107 permit ip host <my public IP> host <vendor VPN host (is public IP)> log


access-list 107 permit ip host <my public IP>  host <vendor VPN endpoint> log
access-list 107 permit ip any any


sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
<vendor endpoint ip>  <my public ip>      QM_IDLE           1010    0 ACTIVE


Crypto Map "mymap" 1 ipsec-isakmp
        Peer = <vendor endpoint IP>
        Extended IP access list 116
            access-list 116 permit ip host <my outside ip> host <vendor inside out IP> (which is a public IP))
        Current peer: <vendor endpoint IP>
        Security association lifetime: 4608000 kilobytes/2800 seconds
        PFS (Y/N): N
        Transform sets={
                mytrans,
        }