Question : PIX: Packets are not encrypted

Hello,
I want to create a site-to-site vpn between a pix 525 with PIX OS 7.2(2) and a Sonicwall TZ170 with SonicOS Enhanced 3.2.3.0-6e.

Site A ----PIX-------Internet--------TZ170----Site B

Networks:
Site A: 10.201.0.0 255.255.0.0
Site B: 192.168.101.0 255.255.255.0

The IKE and IPSEC-setup seems to be OK, since the PIX and the TZ show valid SAs.
The problem is that I'm not able to reach the hosts on the other side.

I tried a packet-tracer on the PIX. The result shows a packetdrop in the encryption phase. The output tells an acl-violation as the reason. For me the ACL 114 seems to be OK. If I ping from Site A to Site B the hitcnt of the ACL 114 is incremented. Below the ACLs/Cryptomap/nat 0 from the config.

In the crypto-map I use the following ACL to describe the IPSEC-traffic:
access-list 114 extended permit ip 10.201.0.0 255.255.0.0 192.168.101.0 255.255.255.0

The crypto-map for the outside interface:
crypto map outside_map 111 match address 111
crypto map outside_map 111 set peer *
crypto map outside_map 111 set transform-set esp-3des-md5
crypto map outside_map 111 set security-association lifetime seconds 3600
crypto map outside_map 112 set peer
crypto map outside_map 112 set transform-set esp-3des-md5 esp-3des-sha
crypto map outside_map 112 set security-association lifetime seconds 3600
crypto map outside_map 113 ipsec-isakmp dynamic remote
crypto map outside_map 114 match address 114
crypto map outside_map 114 set peer
crypto map outside_map 114 set transform-set esp-3des-md5
crypto map outside_map 114 set security-association lifetime seconds 3600
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside

The nat 0:
nat (inside) 0 access-list 110

access-list 110 extended permit ip 10.201.0.0 255.255.0.0 10.200.1.0 255.255.255.0
access-list 110 extended permit ip 10.201.0.0 255.255.0.0 208.134.161.0 255.255.255.0
access-list 110 extended permit ip 10.201.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 110 extended permit ip 10.201.0.0 255.255.0.0 69.184.0.0 255.255.254.0
access-list 110 extended permit ip 10.201.0.0 255.255.0.0 205.183.246.0 255.255.255.0
access-list 110 extended permit ip 10.201.0.0 255.255.0.0 199.105.176.0 255.255.248.0
access-list 110 extended permit ip 10.201.0.0 255.255.0.0 199.105.184.0 255.255.254.0
access-list 110 extended permit ip 10.201.0.0 255.255.0.0 192.168.19.0 255.255.255.0
access-list 110 extended permit ip host 172.16.2.3 194.99.50.0 255.255.255.0
access-list 110 extended permit ip host 192.168.19.201 194.99.50.0 255.255.255.0
access-list 110 extended permit ip 10.201.0.0 255.255.0.0 192.168.101.0 255.255.255.0

Side Question: I tried the command show crypto map to get some insides from the applied crypto map, but the pix gives me an error invalid input. Many source refer to the command but I can't find it in the pix command reference nor in the help function on the CLI. What's the point here?

I appriciate any ideas. Thanx in advance.

Answer : PIX: Packets are not encrypted

Odd, indeed that the traffic will hit one acl and not the other..
Try re-applying the nat0 acl
no nat (inside) 0 access-list 110
clear xlate
nat (inside) 0 access-list 110

What is status of "sho cry is sa" now with siteB?
Still MM_ACTIVE or QM_IDLE ?

Random Solutions

Connect XP home to Domain based network

BIND to Win2k DNS server automatic zone transfer

Can an PCI Router Card filter internet virus/content from other computers connected to the router card?

Cisco 1130AP - any way to make ALL packets tagged?

Default Username in MS Active Directory

Cant logon TS with Event ID 1219 and 40960

Theoretical Laptime

Roadrunner, D-Link 524 and Vonage