Have got two working configs for a Pix that allow either a Pix-to-Pix VPN, or remote users to connecting into a Pix using the Cisco client (created these using two excellent documents on Cisco.com - #6211 and #14091). Am trying to combine the two but am having a few problems. Ideally, would like to find equiv document from Cisco but have had no joy (is it just me or is Cisco web-site diabolical for searching?). Current non-working config is as follows: : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password utXGGJbasURbvYXQ encrypted passwd utXGGJbasURbvYXQ encrypted hostname hosthost domain-name host.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name x.x.x.x router name y.y.y.y WAN name 10.0.0.4 Boardroom name 192.168.0.0 remoteoffice-nw name z.z.z.z remoteoffice access-list 102 permit tcp any host a.a.a.a eq smtp access-list 102 permit tcp any host a.a.a.a eq www access-list 102 permit tcp any host a.a.a.a eq 3389 access-list 102 permit tcp any host b.b.b.b eq pcanywhere-data access-list 102 permit udp any host b.b.b.b eq pcanywhere-status access-list 102 permit tcp any host c.c.c.c eq 3389 access-list 101 permit ip 10.0.0.0 255.255.255.0 remoteoffice-nw 255.255.255.0 access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0 pager lines 24 interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside WAN 255.255.255.248 ip address inside 10.0.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ippool 10.0.1.1-10.0.1.254 no pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) a.a.a.a 10.0.0.3 netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.b Boardroom netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.c 10.0.0.2 netmask 255.255.255.255 0 0 access-group 102 in interface outside route outside 0.0.0.0 0.0.0.0 router 1 route outside router 255.255.255.255 router 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 10.0.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto dynamic-map outside_dyn 30 match address 101 crypto dynamic-map outside_dyn 30 set transform-set myset crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address 101 crypto map outside_map 20 set peer remoteoffice crypto map outside_map 20 set transform-set ESP-DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn crypto map outside_map interface outside isakmp enable outside isakmp key ******** address remoteoffice netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup dialin address-pool ippool vpngroup dialin dns-server 10.0.0.3 195.10.102.11 vpngroup dialin idle-time 1800 vpngroup dialin password ******** telnet timeout 5 ssh timeout 5 terminal width 80 : end #