I have a VPN Site to Site. It works fine.

But I cannot ping beetwen Subnets of the tunnel.

10.2.166.0/24--PIX--ROUTER--10.100.200.0/24

PIX CONFIGURATION

access-list NONAT permit ip any any

access-list 112 permit ip 10.0.0.0 255.0.0.0 10.100.200.0 255.255.255.0

access-list 112 permit icmp any any

nat (inside) 0 access-list NONAT

route outside 0.0.0.0 0.0.0.0 default_gateway 1

route outside 10.0.0.0 255.255.255.0 default_gateway 1 # ANOTHER TUNNEL.

route inside 10.0.0.0 255.0.0.0 10.2.166.201 1 #INTERNAL ROUTER

route outside 10.100.200.0 255.255.255.0 default_gateway 1

sysopt connection permit-ipsec

crypto ipsec transform-set ESPDESMD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map VPNSITE 6 ipsec-isakmp

crypto map VPNSITE 6 match address 112

crypto map VPNSITE 6 set peer IP_REMOTE_ROUTER

crypto map VPNSITE 6 set transform-set ESPDESMD5

crypto map VPNSITE 10 ipsec-isakmp dynamic VPNDYN

crypto map VPNSITE interface outside

isakmp enable outside

isakmp key ***** address IP_REMOTE_ROUTER netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

ROUTER CONFIGURATION

crypto isakmp policy 11

hash md5

authentication pre-share

group 2

lifetime 3600

crypto isakmp key ***** address IP_REMOTE_PIX

!

!

crypto ipsec transform-set DES esp-des esp-md5-hmac

!

crypto map nolan 11 ipsec-isakmp

set peer IP_REMOTE_PIX

set transform-set DES

match address 120

ip nat inside source route-map SDM_RMAP_1 interface Ethernet0 overload

ip route 0.0.0.0 0.0.0.0 Ethernet0

access-list 100 remark SDM_ACL Category=2

access-list 100 deny ip 10.100.200.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip any any

access-list 120 remark SDM_ACL Category=20

access-list 120 permit ip 10.100.200.0 0.0.0.255 10.0.0.0 0.255.255.255

!

route-map SDM_RMAP_1 permit 1

match ip address 100