Question : Problem: Unable to get ISAKMP negotiation between PIX and Cisco 831 router

I've been trying to set up a VPN between a 831 Router at a remote office and the PIX firewall at the corporate office. I've stared at these configs until I'm blue in the face and cannot find the problem. I think it might be in the access list, but I'm not sure what to do. I have run debug crypto isakmp on both sides and cannot get any output indicating there is communication between the two. I do have vpdn set up and working so I can work from both sides of the connection. I have tried pinging from boxes on the inside of each network, but neither device will bring up the tunnel or show any output through debug.
Here are the configs:
-----------------------------------------------------------------------------------------
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password Ww0YZPh.iCQFGluP encrypted
passwd Ww0YZPh.iCQFGluP encrypted
hostname pix.133154-01
domain-name xxxxxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 20
names
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.3.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.4.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.5.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.6.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.7.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.8.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list emiller permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
pager lines 24
interface ethernet0 100full
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 69.11.xxx.xxx 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool clients 192.168.200.100-192.168.200.119
pdm history enable
arp timeout 14400
global (outside) 1 69.11.xxx.xxx
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 69.11.xxx.xxx 1
route inside 10.138.88.0 255.255.255.0 192.168.1.2 1
route inside 192.168.2.0 255.255.255.0 192.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.1.2 1
route inside 192.168.4.0 255.255.255.0 192.168.1.2 1
route inside 192.168.5.0 255.255.255.0 192.168.1.2 1
route inside 192.168.6.0 255.255.255.0 192.168.1.2 1
route inside 192.168.10.0 255.255.255.0 192.168.1.2 1
route inside 192.168.100.0 255.255.255.0 192.168.1.2 1
route inside 192.168.101.0 255.255.255.0 192.168.1.2 1
route inside 192.168.102.0 255.255.255.0 192.168.1.2 1
route inside 192.168.200.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map emiller 21 ipsec-isakmp
crypto map emiller 21 match address emiller
crypto map emiller 21 set peer 24.94.xxx.x
crypto map emiller 21 set transform-set strong
crypto map emiller interface outside
isakmp enable outside
isakmp key **** address 24.94.xxx.x netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 24.94.xxx.x 255.255.255.255 outside
ssh timeout 15
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto required
vpdn group 1 client configuration address local clients
vpdn group 1 client configuration dns 192.168.1.25
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxxxxxx password *
vpdn username xxxxxx password *****
vpdn enable outside
terminal width 80
Cryptochecksum:86eeb0849b6741ffb23f298d9f4b08d7
: end

-------------------------------------------------------------------------------------------------
!This is the running config of the router: 192.168.8.1
!----------------------------------------------------------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname BrownDeer
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$VJ6t$PTMACj/MR9aRy0ntlZUhv0
!
username Eric privilege 15 password 7 141A010E1E127F78
clock timezone Chicago -6
clock summer-time Chicago date Apr 3 2004 2:00 Oct 31 2004 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip domain lookup source-interface Ethernet1
ip domain name xxxxxxx.com
ip dhcp excluded-address 192.168.8.1 192.168.8.100
ip dhcp excluded-address 192.168.8.200 192.168.8.254
!
ip dhcp pool CLIENT
import all
network 192.168.8.0 255.255.255.0
default-router 192.168.8.1
lease infinite
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0 xxxxx address 69.11.xxx.xxx
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 69.11.xxx.xxx
set peer 69.11.xxx.xxx
set transform-set strong
match address 103
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.8.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$
ip address dhcp client-id Ethernet1
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip route-cache flow
duplex auto
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
ip classless
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
logging trap debugging
logging 192.168.8.101
access-list 1 permit 192.168.8.101
access-list 1 remark SDM_ACL Category=17
access-list 1 permit 192.168.8.0 0.0.0.255
access-list 1 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit tcp host 192.168.8.101 host 192.168.8.1 eq telnet
access-list 100 permit tcp host 192.168.8.101 host 192.168.8.1 eq 22
access-list 100 permit tcp host 192.168.8.101 host 192.168.8.1 eq www
access-list 100 permit tcp host 192.168.8.101 host 192.168.8.1 eq 443
access-list 100 permit tcp host 192.168.8.101 host 192.168.8.1 eq cmd
access-list 100 deny tcp any host 192.168.8.1 eq telnet
access-list 100 deny tcp any host 192.168.8.1 eq 22
access-list 100 deny tcp any host 192.168.8.1 eq www
access-list 100 deny tcp any host 192.168.8.1 eq 443
access-list 100 deny tcp any host 192.168.8.1 eq cmd
access-list 100 deny udp any host 192.168.8.1 eq snmp
access-list 100 deny ip 24.94.xxx.x 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 101 permit udp host 69.11.xxx.xxx any eq non500-isakmp
access-list 101 permit udp host 69.11.xxx.xxx any eq isakmp
access-list 101 permit esp host 69.11.xxx.xxx any
access-list 101 permit ahp host 69.11.xxx.xxx any
access-list 101 permit tcp host 69.11.xxx.xxx host 24.94.xxx.x eq 22
access-list 101 permit tcp host 69.11.xxx.xxx host 24.94.xxx.x eq 443
access-list 101 permit tcp host 69.11.xxx.xxx host 24.94.xxx.x eq cmd
access-list 101 permit gre host 69.11.xxx.xxx host 24.94.xxx.x
access-list 101 deny tcp any host 24.94.xxx.x eq telnet
access-list 101 deny tcp any host 24.94.xxx.x eq www
access-list 101 deny udp any host 24.94.xxx.x eq snmp
access-list 101 remark Auto generated by SDM for NTP (123) 132.163.4.101
access-list 101 permit udp host 132.163.4.101 eq ntp any eq ntp
access-list 101 deny ip 192.168.8.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=17
access-list 102 permit ip host 192.168.8.101 any
access-list 102 permit ip host 69.11.232.202 any
access-list 102 deny ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
banner login ^C
Unauthorized access to this router is forbidden.
If you violate this policy, you may be prosecuted to the full extent of the law.

^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 132.163.4.101
!
end
-----------------------------------------------------------------------

Any help you can give would be greatly appreciated.

Answer : Problem: Unable to get ISAKMP negotiation between PIX and Cisco 831 router

>access-list emiller permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
>crypto map emiller 21 match address emiller
>crypto map emiller 21 set peer 24.94.xxx.x

With those entries, can I assume that this is for the LAN-LAN tunnel to the router?

I would expect to also see an addition to the nat zero acl that matches the "emiller" acl:
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

On the router side:

Given:
>interface Ethernet1
> description $FW_OUTSIDE$
> ip access-group 101 in

Your access-list is specifically permitting the network on the other side of the PIX (Good!)
>access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255

Your tunnel match acl is mirror of the PIX (Good!)
>access-list 103 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255

Route-map for NAT is OK on the router (Good!)

Everything else looks good. Two more things to check:

PC on 192.168.8.x side has default gateway pointing to 192.168.8.1 (router) - Check?
PC on 192.168.1.x side has default gateway pointing to 192.168.1.1 (pix) - Check?
PC on 192.168.1.x side has default gateway pointing to 192.168.1.2 (router?) - Does this router have a route statement in it pointing to the PIX for the 192.168.8.x subnet?

Random Solutions

Problem: What is this error message on shut down.

Problem: iPod Corrupted

Problem: TS User lockdown / lockdown message

Problem: Apache 2.0 on Mac OS X

Problem: Adding a second video card to the onboard one

Problem: Cannot install Windows 2000 on a new SATA hard drive

Problem: Dell Laptop Inspiron 1150 having power issues

Problem: how do i save multiple terminal sessions that are managing remote connections as a window group??

Problem: Lan disable wireless internet

Problem: How to limit log file size on WIN2K3?