checked these two docs out already, but, still no cigar.
objective: a)map inside 192.168.3.0/24 to 172.16.7.0/24 (net A)
b)build tunnel for traffic from 172.16.7.0/24 host
10.35.240.23(net B)net A has a pix running 6.3(5) and net B, a vpn concentrator.
******************************************* pix cfgcrypto map * 10 ipsec-isakmp crypto map * 10 set peer * crypto map * 10 set transform-set 3des crypto map * 10 match address vpn
#using an acl that just tests tunnel from a host on net A, gets me past phase 1. Also, in this setup, I have a policy map nat acl to map a single address on the 192.168.3 net to a single address on the 172.16.7 net. and i'm not clear on whether i should be using a nat statement to policy map the vpn traffic or a static. i'm also not sure what if any of these blocks should be in the nat 0 statement.
#but if i use the acl i believe i eventually need... access-list vpn line 1 permit ip host 172.16.7.0 255.255.255.0 host
10.35.240.23#i get, IPSEC(sa_initiate): ACL = deny; no sa created
pix(config)# sh crypto map
Crypto Map: "*" interfaces: { outside }
Crypto Map "*" 10 ipsec-isakmp Peer = * access-list vpn; 1 elements access-list vpn line 1 permit ip 172.16.7.0 255.255.255.0 host
10.35.240.23 Current peer: * Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ 3des, }