How do I solve for a vendor/customer that insists I includes the IPSEC PEER IP with in the crypto ACL?
A netscreen user has asked me to build a crypto ACL that includes the PeerIP address. If I use a mask structure in the ACL to exclude the Peer from the crypto domain it works and I get good SA's. If the tunnel is initiated from the netscreen, and my pix7 is the responder, then SA range includes the peer ip address and returning traffic fails.
Any suggestions? Thanks in advance..