Question : Problem: Cisco 2611 to Netscreen 5XP Vpn Problem

Hi,


I have set up a VPN between a Cisco 2611 and a Netscreen 5XP.  The VPN
shows as up but I cannot ping any hosts.  Here is the config from the
2611.  Any sugesstions are greatly appreciated.  The internal network
on the Cisco side is 10.0.0.0 and the Netscreen side is 192.168.1.0

                                             Thanks,


Building configuration...

Current configuration : 4399 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 88888
!
no logging console
enable secret 5 ********
!
ip subnet-zero
no ip source-route
!
!
ip domain-name **********************
ip name-server 168.215.x.x
ip name-server 216.136.x.x
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
 lifetime 500
crypto isakmp key **** address 66.25.x.x
!
!
crypto ipsec transform-set rtpset1 esp-des esp-md5-hmac
crypto ipsec transform-set rtpset2 esp-des esp-sha-hmac
crypto ipsec transform-set rtpset3 esp-null esp-md5-hmac
crypto ipsec transform-set rtpset4 esp-null esp-sha-hmac
crypto ipsec transform-set rtpset5 esp-des
!        
!        
!        
crypto map rtp 1 ipsec-isakmp  
 set peer 66.25.x.x
 set transform-set rtpset1 rtpset2 rtpset3 rtpset4 rtpset5
 match address 101
!        
call rsvp-sync
!        
!        
!        
!        
!        
!        
!        
!        
interface Ethernet0/0
 description Royal LAN connected to the 2900XL
 ip address 10.0.0.254 255.255.255.0 secondary
 ip address 66.192.x.x 255.255.255.240
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 half-duplex
!        
interface Serial0/0
 description Time Warner T1 at 1.544 Mbs
 ip address 66.162.x.x 255.255.255.252
 ip nat outside
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 service-module t1 timeslots 1-24
 crypto map rtp
!        
interface Ethernet0/1
 no ip address
 shutdown
 half-duplex
!        
ip nat inside source list 10 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 66.162.x.x        Router at ISP
no ip http server
!        
access-list 10 permit 10.0.0.10
access-list 10 permit 10.0.0.11
access-list 10 permit 10.0.0.8
access-list 10 permit 10.0.0.9
access-list 10 permit 10.0.0.14
access-list 10 permit 10.0.0.15
access-list 10 permit 10.0.0.12
access-list 10 permit 10.0.0.13
access-list 10 permit 10.0.0.2
access-list 10 permit 10.0.0.3
access-list 10 permit 10.0.0.1
access-list 10 permit 10.0.0.6
access-list 10 permit 10.0.0.7
access-list 10 permit 10.0.0.4
access-list 10 permit 10.0.0.5
access-list 10 permit 10.0.0.26
access-list 10 permit 10.0.0.27
access-list 10 permit 10.0.0.24
access-list 10 permit 10.0.0.25
access-list 10 permit 10.0.0.30
access-list 10 permit 10.0.0.31
access-list 10 permit 10.0.0.28
access-list 10 permit 10.0.0.29
access-list 10 permit 10.0.0.18
access-list 10 permit 10.0.0.19
access-list 10 permit 10.0.0.16
access-list 10 permit 10.0.0.17
access-list 10 permit 10.0.0.22
access-list 10 permit 10.0.0.23
access-list 10 permit 10.0.0.20
access-list 10 permit 10.0.0.21
access-list 10 permit 10.0.0.40
access-list 10 permit 10.0.0.34
access-list 10 permit 10.0.0.35
access-list 10 permit 10.0.0.32
access-list 10 permit 10.0.0.33
access-list 10 permit 10.0.0.38
access-list 10 permit 10.0.0.39
access-list 10 permit 10.0.0.36
access-list 10 permit 10.0.0.37
access-list 10 permit 10.0.0.253


access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!        
!        
dial-peer cor custom
!        
!        
!        
!        
!        
line con 0
line aux 0
line vty 0 4
 password ********************************************
 login    
!        
end      

Answer : Problem: Cisco 2611 to Netscreen 5XP Vpn Problem

acl 111 can be this way:

access-list 111 deny ip host 10.0.0.1 any
access-list 111 deny ip host 10.0.0.2 any
access-list 111 deny   ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 10.0.0.0 0.0.0.255 any

And yes, keep acl 123 as is...