I am facing a quite interesting problem between a PIX 515 and an ASA 5510.
The PIX is in the HQ and has multiple dynamic VPN connections (aroung 130) and IPsec remote vpn working just fine. I needed to add one Static PIX-to-ASA L2L VPN and it is not working as supposed to be. The ASA 5510, at the remote end, connects and stays up for a small amount of time, however, all other VPN connections stop working.
The most interesting thing is that the ASA is associated with the Dynamic MAP and not the static map which I created (check through sh crypto ipsec sa peer x.x.x.x). However, if I make any change on the ACL "ACL-Remote" it affects the tunnel between the PIX and ASA.
Has anyone seen anything like this?
Here are more detailed info:
PIX 515 - IOS 8.0(3) - HQ
ASA 5510 - IOS 7.2(3) - Remote Supplier
Several Huawei and Cisco routers dynamically connected through ADSL
Several IPsec remote access users
One static site-to-site VPN between PIX and ASA - not working.
Here is the config at the PIX:
crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac
crypto dynamic-map Dyn-VPN 100 set transform-set ESP-3DES-ESP-SHA-HMAC-IPSec
crypto dynamic-map Dyn-VPN 100 set reverse-route
crypto map VPN-Map 30 match address ACL-Remote
crypto map VPN-Map 30 set peer 20X.XX.XX.XX
crypto map VPN-Map 30 set transform-set ESP-3DES-ESP-SHA-HMAC-IPSec
crypto map VPN-Map 100 ipsec-isakmp dynamic Dyn-VPN
crypto map VPN-Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
crypto isakmp policy 65535
access-list ACL-Remote ext permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
The problem is that the ASA has a crypto acl defined from host to network whereas the remote end has network to network.
Make sure the acl's are mirrored.