From memory at least on pix v6.x code it can make a difference. The issue is if your crypto access-list subnets overlap. So
access-list vpn1 permit ip 172.16.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list vpn2 permit ip 172.16.5.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn1 permit ip 172.16.5.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn2 permit ip 172.16.0.0 255.255.255.0 192.168.5.0 255.255.255.0
I have seen this configuration not work correctly because 172.16.5.0 falls under 172.16.0.0 so on Site A the first line is matched but the 2 peers are different so the remote and local subnets do not match.
Like i say i have never tested this on v7.x code but if you suspect this may be causing a problem always put the more specfic subnets before less specific subnets.
Edit - apologies but it has been a while since i saw this behaviour. It produces a specific error message but due to time and old age :-) i can't remember the actual message. If you are having problems please post the error message.
I asked you guys about this because I recently encountered a problem with Cat6500 SPA-IPSec service modules and we are now paying special attention to ACLs among other things. In this case I meant Cisco IOS but as a general rule is safer to keep more specific entries first.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...