PIX 501 to 1760 VPN allowing one way traffic only

Having a few issues connecting a PIX 501 to a Cisco 1760. The 1760 has
been configured as a VPN server and has for months been working fine
for remote users with the Cisco VPN Client software. I'm trying to get
a "site to site" VPN working and have run into a brick wall. I'll paste
the PIX and 1760 configs below. The network behind the 1760 is
10.10.10.x and the PIX dhcpd is giving out IPs in the 192.168.100.x
range.

The tunnel "seems" ok as I can ping between sites and can map drives on
machines behind the PIX from a host behind the 1760 - I can even VNC
into a host behind the PIX from one behind the 1760. I can't, however,
initiate anything from any host behind the PIX.

Does anyone have any ideas?

PIX config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxx encrypted
hostname pixfirewall
domain-name xxxxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
logging timestamp
logging trap debugging
logging host inside 192.168.100.10
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x x.x.x.x
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 x.x.x.x (1760 public ip) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.100.10-192.168.100.20 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd option 150 ip 10.10.10.190
dhcpd enable inside
vpnclient server x.x.x.x (1760 public ip)
vpnclient mode network-extension-mode
vpnclient vpngroup xxxxx password xxxxx
vpnclient username xxxxx password xxxxx
vpnclient enable
terminal width 80


1760 Config:
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxx
!
enable password xxxx
!
username xxxx password 0 xxxx

aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip domain name xxxx
!
!
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxx
key 0 xxxx
dns 10.10.10.173
wins 10.10.10.163
domain xxxx
pool xxxx
!
crypto isakmp client configuration group xxxx
key 0 xxxx
dns 10.10.10.173
wins 10.10.10.163
domain xxxx
pool xxxx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0/0
ip address x.x.x.x (outside 1700 interface)
ip nat outside
speed auto
crypto map clientmap
!
interface FastEthernet0/1
no ip address
!
interface FastEthernet0/2
no ip address
shutdown
!
interface FastEthernet0/3
no ip address
shutdown
!
interface FastEthernet0/4
no ip address
shutdown
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip policy route-map nonat
!
ip local pool ippool 192.168.10.1 192.168.10.50
ip local pool IPPOOL1 192.168.20.0 192.168.20.50
ip default-gateway x.x.x.x
ip nat inside source list 120 interface FastEthernet0/0 overload

(snip a lot of static routes that aren't connected with this)

ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x (gateway)
no ip http server
no ip http secure-server
!
!
!
ip access-list extended addr-pool
ip access-list extended default-domain
ip access-list extended firewall
ip access-list extended idletime
ip access-list extended include-local-lan
ip access-list extended key-exchange
ip access-list extended protocol
ip access-list extended save-password
ip access-list extended service
ip access-list extended timeout
ip access-list extended tunnel-password
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 11 permit 10.10.10.0 0.0.0.255
access-list 120 deny ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
snmp-server community public RO 10
snmp-server enable traps tty
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password xxxx
transport input ssh
!
!
end

 

:Having a few issues connecting a PIX 501 to a Cisco 1760. The 1760 has
:been configured as a VPN server and has for months been working fine
:for remote users with the Cisco VPN Client software. I'm trying to get
:a "site to site" VPN working and have run into a brick wall.

Although you should in theory be able to get your approach to work,
I would suggest that you would be better off using the full
crypto map approach on the 501 instead of relying on vpnclient
with network-extension mode. If you use the full crypto map setup,

The problem you are having sounds similar to what would happen if
the [automatically generated] access lists were not symmetric.
Configuring a crypto map on the 501 would allow you to give the ACL
explicitly, and the crypto dynamic map on the 1760 should then
automatically "mirror" that. There's a bit more certainty in that
approach, rather than counting on the EzVPN software to be sure
to negotiate the right ACLs with the right netmasks.

In particular, you indicate that the 1760 is running with a 10.10.10.x
network, by which I take it you mean 10.10.10/24. For all PIX
before PIX 6.3(4), the exchanged ACLs may be "classful" -- i.e.,
that the PIX would assume that the 10.10.10.x IP it gets from the
other end should be a Class A address in the 10/8 network. That's going
to lead to ARPs to the wrong place and so on. 6.3(4) offers some
control over the netmask used; I notice you are running 6.3(1).


Speaking of 6.3(1), that version has some security holes in it,
and 6.3(2) had a nasty bug in it, and 6.3(3) had a security hole
as well, so you should upgrade to 6.3(4). The update from 6.3(1)
to 6.3(4) is free even if you do not have a support contract;
for more information, google cisco.com for "PIX Security Advisory"
and look through the first one or two of those for information on
how to qualify for the update.