Problem with IPSEC VPN

Hello

I have problem with site-to-site connection between two PIXes. Network diagram looking like this:

PIX501---------- Internet -------------------- PIX515E | | | | | |

192.168.4.1/24 192.168.0.1/24

The VPN connection is established, but:

1) If I pinging host 192.168.4.10 from network 192.168.0.10 - OK 2) If I pinging host 192.168.0.10 from network 192.168.4.10 - error

Jan 22 2006 14:13:17: %PIX-3-713042: IKE Initiator unable to find policy: Intf 1, Src: 192.168.0.10, Dst: 192.168.4.10 Jan 22 2006 14:13:18: %PIX-3-713042: IKE Initiator unable to find policy: Intf 1, Src: 192.168.0.10, Dst: 192.168.4.10

The communications from 192.168.4.10 to 192.168.0.10 only working when

192.168.0.10 starts send packets. Any ideas or recommendations ???

Below configurations of both PIXes:

PIX-515E running OS 7.0(4)

interface Ethernet0 nameif outside security-level 0 ip address 195.22.16.2 255.255.255.252 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 195.22.16.1 1 same-security-traffic permit intra-interface access-list VPN extended permit ip 192.168.0.0 255.255.255.0

192.168.4.0 255.255.255.0 access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 nat-control global (outside) 1 interface nat (inside) 0 access-list NONAT nat (inside) 1 0.0.0.0 0.0.0.0 crypto ipsec transform-set TransSet esp-3des esp-md5-hmac crypto map VPN 20 match address VPN crypto map VPN 20 set peer 195.22.17.2 crypto map VPN 20 set transform-set TransSet crypto map VPN 20 set nat-t-disable crypto map VPN interface outside isakmp identity address isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 tunnel-group 195.22.17.2 type ipsec-l2l tunnel-group 195.22.17.2 ipsec-attributes pre-shared-key *

PIX-501 running OS 6.3(5)

interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 ip address outside 195.22.17.2 255.255.255.252 ip address inside 192.168.4.1 255.255.255.0 route outside 0.0.0.0 0.0.0.0 195.22.17.1 1 access-list NONAT permit ip 192.168.0.0 255.255.0.0 192.168.0.0

255.255.0.0 access-list VPN permit ip 192.168.4.0 255.255.255.0 192.168.0.0 255.255.255.0 global (outside) 1 interface nat (inside) 0 access-list NONAT nat (inside) 1 0.0.0.0 0.0.0.0 0 0 sysopt connection permit-ipsec crypto ipsec transform-set TransSet esp-3des esp-md5-hmac crypto map VPN 20 ipsec-isakmp crypto map VPN 20 match address VPN crypto map VPN 20 set peer 195.22.16.2 crypto map VPN 20 set transform-set TransSet crypto map VPN interface outside isakmp enable outside isakmp key ******** address 195.22.16.2 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400