Setup VPN (IPSec) with Cisco 836 and Cisco PIX 515E
I have to setup a new Cisco 836 router (IOS 12.3) in a remote office (172.20.1.0/24) to connect to a Cisco Pix 515E (v6.1) in our central office (10.72.0.0/16) via VPN. The Cisco 836 will connect to internet via DSL (dyn. ip address), but for doing some tests before implementing, I would like to use the ISDN interface.
There should be no "direct" internet access for the remote office workstations; they all should go via central office (VPN) when surfing the internet.
Can anyone see why the VPN fails in the router config below?
Connecting to internet works fine, but the ISAKMP seems to have some problems (see debug at bottom).
Do I need to configure NAT in the router, if all traffic should use the VPN tunnel without NAT?
Any comments are welcome.
maeb3
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname TEST
!
enable secret 5 xxxxx
!
username xxxxx secret 5 xxxxx
no aaa new-model
no ip subnet-zero
no ip source-route
no ip domain lookup
ip name-server 145.253.2.11
ip name-server 10.72.2.1
ip name-server 194.25.0.68
ip dhcp excluded-address 172.20.1.1
!
ip dhcp pool DHCP_POOL_TEST
network 172.20.1.0 255.255.255.0
default-router 172.20.1.1
dns-server 10.72.2.1 10.72.2.6
lease 3
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
isdn switch-type basic-net3
!
crypto isakmp policy 10
authentication pre-share
group 2
lifetime 5000
crypto isakmp key 0 xxxxxxxxxx address 217.x.x.x
!
!
crypto ipsec transform-set VPNsettings esp-des esp-sha-hmac
!
crypto map VPN_Tunnel 10 ipsec-isakmp
description VPN Tunnel
set peer 217.x.x.x
set transform-set VPNsettings
match address 110
!
interface Ethernet0
description LAN Interface
ip address 172.20.1.1 255.255.255.0
! ip nat inside ???
no ip proxy-arp
no cdp enable
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
no cdp enable
ppp authentication chap callin
!
interface ATM0
description DSL NOT USED DURING TESTING
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
load-interval 30
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
description ISDN-DialIn
ip address negotiated
no ip proxy-arp
! ip nat outside ???
encapsulation ppp
dialer pool 1
dialer wait-for-carrier-time 10
dialer string 06102xxxxxx
dialer hold-queue 10
dialer redial interval 5 attempts 5
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 7 xxxxxxx
crypto map VPN_Tunnel
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 110 permit ip 172.20.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
line con 0
exec-timeout 15 0
logging synchronous
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
password 7 xxxx
login local
length 0
!
scheduler max-task-time 5000
no rcapi server
!
end
Debugging shows something like:
...
00:06:135310971284: IPSEC(sa_find_addr): null IP address specified on SADB lookup
00:06:133189296253: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
00:06:31: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 212.144.60.209, remote= 217.x.x.x,
local_proxy= 172.20.1.0/255.255.255.0/0
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xE6867E18(3867573784), conn_id= 0, keysize= 0, flags= 0x400A
00:06:31: ISAKMP: received ke message (1/1)
00:06:31: ISAKMP (0:0): SA request profile is (NULL)
00:06:31: ISAKMP: local port 500, remote port 500
00:06:31: ISAKMP: set new node 0 to QM_IDLE
00:06:31: ISAKMP: insert sa successfully sa = 8171F908
00:06:31: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
00:06:31: ISAKMP: Looking for a matching key for 217.x.x.x in default : success
00:06:31: ISAKMP (0:1): found peer pre-shared key matching 217.x.x.x
00:06:31: ISAKMP (0:1): constructed NAT-T vendor-03 ID
00:06:31: ISAKMP (0:1): constructed NAT-T vendor-02 ID
00:06:31: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
00:06:31: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
00:06:31: ISAKMP (0:1): beginning Main Mode exchange
00:06:31: ISAKMP (0:1): sending packet to 217.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
00:06:41: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
00:06:41: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:06:41: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
00:06:41: ISAKMP (0:1): sending packet to 217.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
00:06:51: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
00:06:51: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:06:51: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
00:06:51: ISAKMP (0:1): sending packet to 217.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
00:07:01: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 212.144.60.209, remote= 217.x.x.x,
local_proxy= 172.20.1.0/255.255.255.0/0
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
00:07:01: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 212.144.60.209, remote= 217.x.x.x,
local_proxy= 172.20.1.0/255.255.255.0/0
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x2407EF74(604499828), conn_id= 0, keysize= 0, flags= 0x400A
00:07:01: ISAKMP: received ke message (1/1)
00:07:01: ISAKMP: set new node 0 to QM_IDLE
00:07:01: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 212.144.60.209, remote 217.x.x.x)
00:07:01: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
00:07:01: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:07:01: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
00:07:01: ISAKMP (0:1): sending packet to 217.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
00:07:04: IPSEC(crypto_ipsec_isakmp_
00:07:04: IPSEC(crypto_ipsec_isakmp_
00:07:04: IPSEC(crypto_ipsec_isakmp_
00:07:11: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
00:07:11: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:07:11: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
.....
The central office (Cisco PIX, 217.x.x.x) doesn't receive any requests on port 500.
Can you try the configuration:
cypto ipsec nat-transparency udp-encapsulation
cypto ipsec nat-transparency udp-encapsulation
ASKER
@lrmoore
Yes, all traffic should use the VPN tunnel, since internet access is done via a proxy server in the central office.
The crypto key is the same at both ends, but I think it doesn't even come to the point where the keys are exchanged, since the hit count on the Cisco PIX (217.x.x.x) shows "0" for port 500.
When deleting the crypto statement and adding the "ip nat inside", "ip nat outside", "ip nat inside source ... overload" statements, I have direct internet access via ISDN. (I can't ping the PIX since ICMP is blocked before).
@jamespickering
I will try that tonight.
maeb3
Yes, all traffic should use the VPN tunnel, since internet access is done via a proxy server in the central office.
The crypto key is the same at both ends, but I think it doesn't even come to the point where the keys are exchanged, since the hit count on the Cisco PIX (217.x.x.x) shows "0" for port 500.
When deleting the crypto statement and adding the "ip nat inside", "ip nat outside", "ip nat inside source ... overload" statements, I have direct internet access via ISDN. (I can't ping the PIX since ICMP is blocked before).
@jamespickering
I will try that tonight.
maeb3
>since the hit count on the Cisco PIX (217.x.x.x) shows "0" for port 500.
Don't you have "sysopt connection permit-ipsec"
>I can't ping the PIX since ICMP is blocked before
Where is icmp blocked? Is UDP 500 also blocked, perchance?
Can you post your pix config?
Don't you have "sysopt connection permit-ipsec"
>I can't ping the PIX since ICMP is blocked before
Where is icmp blocked? Is UDP 500 also blocked, perchance?
Can you post your pix config?
ASKER
The "sysopt connection permit-ipsec" statement exists.
The ping is blocked in the internet facing router. I don't think UDP 500 is blocked in there, but I will check that.
The PIX config looks like
PIX Version 6.1(4)
....
names
name 217.x.x.100 Outside_IP
name 217.x.x.101 Outside_DSL
! 217.x.x.101 is the internet facing DSL router
name 217.x.x.102 Outside_Mail
name 217.x.x.106 Outside_Internet
access-list Internet permit icmp any any
access-list Internet permit tcp any host Outside_Mail eq smtp
access-list Internet permit udp any host Outside_IP eq isakmp
access-list Internet permit udp any host Outside_Internet eq isakmp
access-list VPN_1 permit ip any 172.20.1.0 255.255.255.0
access-list NoNAT permit ip 10.0.0.0 255.0.0.0 172.20.0.0 255.255.0.0
...
ip address outside Outside_IP 255.255.255.0
ip address inside 192.168.1.2 255.255.255.0
ip address inside2 10.72.2.50 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 Outside_Internet netmask 255.255.255.0
global (outside) 2 Outside_Mail netmask 255.255.255.0
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside2) 2 0.0.0.0 0.0.0.0 0 0
static (inside2,outside) tcp Outside_Mail smtp 10.72.2.3 smtp netmask 255.255.255.255 0 0
access-group Internet in interface outside Access-Listen zuweisen
access-group Mailbypass in interface inside2
route outside 0.0.0.0 0.0.0.0 Outside_DSL 1
route inside2 10.0.0.0 255.0.0.0 10.72.1.1 1
...
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set VPNsettings2 esp-des esp-sha-hmac
crypto dynamic-map dynMap1 10 match address VPN_1
crypto dynamic-map dynMap1 10 set transform-set VPNsettings2
crypto dynamic-map dynMap1 10 set pfs group2
crypto map NWT 100 ipsec-isakmp dynamic dynMap1
crypto map NWT interface outside
isakmp enable outside
isakmp key ************** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 5000
...
I know I probably have some routing issues to solve within the local network, before everything works fine, but the first thing is to get the VPN connection working.
maeb3
The ping is blocked in the internet facing router. I don't think UDP 500 is blocked in there, but I will check that.
The PIX config looks like
PIX Version 6.1(4)
....
names
name 217.x.x.100 Outside_IP
name 217.x.x.101 Outside_DSL
! 217.x.x.101 is the internet facing DSL router
name 217.x.x.102 Outside_Mail
name 217.x.x.106 Outside_Internet
access-list Internet permit icmp any any
access-list Internet permit tcp any host Outside_Mail eq smtp
access-list Internet permit udp any host Outside_IP eq isakmp
access-list Internet permit udp any host Outside_Internet eq isakmp
access-list VPN_1 permit ip any 172.20.1.0 255.255.255.0
access-list NoNAT permit ip 10.0.0.0 255.0.0.0 172.20.0.0 255.255.0.0
...
ip address outside Outside_IP 255.255.255.0
ip address inside 192.168.1.2 255.255.255.0
ip address inside2 10.72.2.50 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 Outside_Internet netmask 255.255.255.0
global (outside) 2 Outside_Mail netmask 255.255.255.0
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside2) 2 0.0.0.0 0.0.0.0 0 0
static (inside2,outside) tcp Outside_Mail smtp 10.72.2.3 smtp netmask 255.255.255.255 0 0
access-group Internet in interface outside Access-Listen zuweisen
access-group Mailbypass in interface inside2
route outside 0.0.0.0 0.0.0.0 Outside_DSL 1
route inside2 10.0.0.0 255.0.0.0 10.72.1.1 1
...
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set VPNsettings2 esp-des esp-sha-hmac
crypto dynamic-map dynMap1 10 match address VPN_1
crypto dynamic-map dynMap1 10 set transform-set VPNsettings2
crypto dynamic-map dynMap1 10 set pfs group2
crypto map NWT 100 ipsec-isakmp dynamic dynMap1
crypto map NWT interface outside
isakmp enable outside
isakmp key ************** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 5000
...
I know I probably have some routing issues to solve within the local network, before everything works fine, but the first thing is to get the VPN connection working.
maeb3
> but the first thing is to get the VPN connection working.
It may not work that way. Since the VPN tunnel is dynamic, it will not complete the connection unless and until there is 2-way communication on that link.
>route inside2 10.0.0.0 255.0.0.0 10.72.1.1 1
Does the router 10.72.1.1 have a route statement for the 172.20.1.0 subnet pointing to the PIX?
On your router, you may need to include the encryption statement
>crypto isakmp policy 10
authentication pre-share
encryption des <== add this statement
group 2
lifetime 5000
It may not work that way. Since the VPN tunnel is dynamic, it will not complete the connection unless and until there is 2-way communication on that link.
>route inside2 10.0.0.0 255.0.0.0 10.72.1.1 1
Does the router 10.72.1.1 have a route statement for the 172.20.1.0 subnet pointing to the PIX?
On your router, you may need to include the encryption statement
>crypto isakmp policy 10
authentication pre-share
encryption des <== add this statement
group 2
lifetime 5000
ASKER
@jamespickering
the "crypto ipsec nat-transparency udp-encapsulation" statement is the default for my router, so this statement is already there.
@lrmoore
same for the "encryption des". It's the default and therefore not displayed in the config.
I already asked for the static route entry in the 10.72.1.1 (this router is managed by an external service provider). It should be done during the next days. But I think at least the isakmp key exchange should work between the dyn. ip of the router and the static ip of the PIX.
My new "prime suspect" is the isdn internet provider not allowing VPNs, since this is just a small "internet by call" provider. I will check that this weekend and maybe try another ISP where I definitely know that VPNs are allowed.
Question: do I have to use the static ip address of the PIX outside interface (217.x.x.100) or may I use a seperate (global) ip address for VPN connections like 217.x.x.103? (> name 217.x.x.103 Outside_VPN).
maeb3
the "crypto ipsec nat-transparency udp-encapsulation" statement is the default for my router, so this statement is already there.
@lrmoore
same for the "encryption des". It's the default and therefore not displayed in the config.
I already asked for the static route entry in the 10.72.1.1 (this router is managed by an external service provider). It should be done during the next days. But I think at least the isakmp key exchange should work between the dyn. ip of the router and the static ip of the PIX.
My new "prime suspect" is the isdn internet provider not allowing VPNs, since this is just a small "internet by call" provider. I will check that this weekend and maybe try another ISP where I definitely know that VPNs are allowed.
Question: do I have to use the static ip address of the PIX outside interface (217.x.x.100) or may I use a seperate (global) ip address for VPN connections like 217.x.x.103? (> name 217.x.x.103 Outside_VPN).
maeb3
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Still no success.
I'm quite sure now that the PIX is the problem.
When using my router config without the crypto statement on the dialer interface I can access the internet and also ping the PIX on the central office (I permitted ICMP on the PIX outside interface). When adding the crypto statement, I can ping the PIX outside interface from the router itself (CLI), but not from the remote clients. So, the router tries to route the client traffic in the (non-existing) VPN tunnel, which is fine (if the VPN tunnel would exist ;-).
From the debug information I can see that the router tries to start an isakmp connection to the PIX:
...
00:34:54: ISAKMP (0:2): Can not start Aggressive mode, trying Main mode.
00:34:54: ISAKMP: Looking for a matching key for 217.x.x.100 in default : success
00:34:54: ISAKMP (0:2): found peer pre-shared key matching 217.x.x.100
00:34:54: ISAKMP (0:2): constructed NAT-T vendor-03 ID
00:34:54: ISAKMP (0:2): constructed NAT-T vendor-02 ID
00:34:54: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
00:34:54: ISAKMP (0:2): Old State = IKE_READY New State = IKE_I_MM1
00:34:54: ISAKMP (0:2): beginning Main Mode exchange
00:34:54: ISAKMP: Main Mode packet contents (flags 0, len 120):
00:34:54: SA payload
00:34:54: PROPOSAL
00:34:54: TRANSFORM
00:34:54: VENDOR payload
00:34:54: VENDOR payload
00:34:54: ISAKMP (0:2): sending packet to 217.x.x.100 my_port 500 peer_port 500 (I) MM_NO_STATE
00:35:04: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE...
00:35:04: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:35:04: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE
00:35:04: ISAKMP (0:2): sending packet to 217.x.x.100 my_port 500 peer_port 500 (I) MM_NO_STATE
00:35:14: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE...
00:35:14: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:35:14: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE
00:35:14: ISAKMP (0:2): sending packet to 217.x.x.100 my_port 500 peer_port 500 (I) MM_NO_STATE
00:35:24: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 217.246.181.154, remote= 217.x.x.100,
local_proxy= 172.20.1.0/255.255.255.0/0
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
...
But on the PIX I can see a hitcount of 0 on the outside interface for udp port 500 (access-list Internet permit udp any host Outside_IP eq isakmp).
Why can I ping the interface, but the ISAKMP doesn't seem to find it?
Any ideas?
The complete setup looks like:
172.20.1.x 172.20.1.1 dynIP 217.x.x.101 217.x.x.100 10.x.x.x
| | | | |(102/106) |
RemoteClient--------------
|
192.168.x.x
maeb3
I'm quite sure now that the PIX is the problem.
When using my router config without the crypto statement on the dialer interface I can access the internet and also ping the PIX on the central office (I permitted ICMP on the PIX outside interface). When adding the crypto statement, I can ping the PIX outside interface from the router itself (CLI), but not from the remote clients. So, the router tries to route the client traffic in the (non-existing) VPN tunnel, which is fine (if the VPN tunnel would exist ;-).
From the debug information I can see that the router tries to start an isakmp connection to the PIX:
...
00:34:54: ISAKMP (0:2): Can not start Aggressive mode, trying Main mode.
00:34:54: ISAKMP: Looking for a matching key for 217.x.x.100 in default : success
00:34:54: ISAKMP (0:2): found peer pre-shared key matching 217.x.x.100
00:34:54: ISAKMP (0:2): constructed NAT-T vendor-03 ID
00:34:54: ISAKMP (0:2): constructed NAT-T vendor-02 ID
00:34:54: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
00:34:54: ISAKMP (0:2): Old State = IKE_READY New State = IKE_I_MM1
00:34:54: ISAKMP (0:2): beginning Main Mode exchange
00:34:54: ISAKMP: Main Mode packet contents (flags 0, len 120):
00:34:54: SA payload
00:34:54: PROPOSAL
00:34:54: TRANSFORM
00:34:54: VENDOR payload
00:34:54: VENDOR payload
00:34:54: ISAKMP (0:2): sending packet to 217.x.x.100 my_port 500 peer_port 500 (I) MM_NO_STATE
00:35:04: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE...
00:35:04: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:35:04: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE
00:35:04: ISAKMP (0:2): sending packet to 217.x.x.100 my_port 500 peer_port 500 (I) MM_NO_STATE
00:35:14: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE...
00:35:14: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:35:14: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE
00:35:14: ISAKMP (0:2): sending packet to 217.x.x.100 my_port 500 peer_port 500 (I) MM_NO_STATE
00:35:24: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 217.246.181.154, remote= 217.x.x.100,
local_proxy= 172.20.1.0/255.255.255.0/0
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
...
But on the PIX I can see a hitcount of 0 on the outside interface for udp port 500 (access-list Internet permit udp any host Outside_IP eq isakmp).
Why can I ping the interface, but the ISAKMP doesn't seem to find it?
Any ideas?
The complete setup looks like:
172.20.1.x 172.20.1.1 dynIP 217.x.x.101 217.x.x.100 10.x.x.x
| | | | |(102/106) |
RemoteClient--------------
|
192.168.x.x
maeb3
ASKER
Like in most cases when the problem seems to be unsolvable, it was a combination of several errors here.
I changed the outside interface address of the pix, I upgraded to version 6.3, we did some changes on the internet access router managed by the ISP, ... and some more things.
Thank you,
maeb3
I changed the outside interface address of the pix, I upgraded to version 6.3, we did some changes on the internet access router managed by the ISP, ... and some more things.
Thank you,
maeb3
Are you sure you want ALL traffic going through the VPN tunnel?
No Internet access for this office?
Have you verified the crypto key at both ends to match?
If you remove the crypto map from the dialer interface, and add the "ip nat outside" command, will you get Internet access? Can you then ping the remote 217.x.x.x PIX IP address?
You need to establish that you can directly communicate public IP to public IP before you apply the crypto map..