OK, so here it is.
I have a site-to-site solution I am trying to figure out.
I wanted to get the most thorough answer so I am using a ficitious public range below for accuracy.
Verizon DSL => ISP Modem => 1721 Router Eth0 w/Public IP Subnet (220.127.116.11-118/255.255
109.92.1 Gateway) =>1721 Router FA0 w/Private 172.16.100.1 Address =>Pix 506E Outside 172.16.100.2 Address=>Pix 506E Inside 192.168.100.1 Address=>2950 Internal LAN
Verizon DSL => ISP Modem => 1721 Router Eth0 w/Public IP Subnet (18.104.22.168-30/255.255
Gateway) =>1721 Router FA0 w/Private 172.16.101.1 Address =>Pix 506E Outside 172.16.100.2 Address=>Pix 506E Inside 192.168.101.1 Address=>2950 Internal LAN
I've created a NAT rule on both 1721's to point a public 22.214.171.124 and 126.96.36.199 respectively. These are static and point to the Pix outside ip's 172.16.100.2 and 172.16.101.2.
Now I create a VPN tunnel following Cisco's docs:
Configuring a Simple PIX-to-PIX VPN Tunnel Using IPSec
The tunnels never terminate. There are no errors, nothing.
Now this is currently in a lab with a Cross-Over between the 1721's. and I've got an 'ip route 0.0.0.0 0.0.0.0 Ethernet 0' rule. This allows me to bypass the production non-existent gateway addresses above, and makes the entire infrastructure able to communicate.
Is there something I am missing as far as NAT is concerned? Can I not establish a tunnel between two pix's that aren't on the border? Shouldn't I be able to create a persistent site-to-site tunnel that allows devices with the following ip's 192.168.100.0 255.255.255.0 and 192.168.101.0 255.255.255.0 to communicate seamlessly in this manner.
Given the above infrastructure, how would you config it?