If you don't need to contact each of the machines behind each 501 from the central site, then just use EzVPN in client mode, it simplifies the configuration on both devices (especially the head end) significantly.
If you do need to contact each individual machine behind the 501's, you can use either a L2L or EzVPN in Network-Extension mode. Functionally there's really not much difference, but again the config on the head is significantly easier with EzVPN rather than a L2L tunnel
Each remote site is using a Cable Modem supplied by the ISP so the PIX is using DHCP to get it's outside IP address, in the docs it does say not to use Network-Extension mode if the IP is dynaimcally assigned, wlthough I can't see why.
I want to use some form of xauth for the remote 501's even if it's just a username entry on the head end. As I see it if a 501 is stolen from a remote site then connected elsewhere a VPN connectino will be established to our internal network without the need to supply a username and password. At least using a username entry on the head PIX I could just delete the specific entry for that remote site then the tunnel wouln't comeup.
If you're concerned about the fact that a remote site might succomb to light fingers, if you configure the central pix for ISKMP keys to authenticate the remotes, this might be a workaround for you because when you're told a pix has gone awol, you remove the relevant key.
I appreciate that the IP are dynamic at the remote, but they rarely change and if they do, you could quickly reconfigure the main pix to sort it out, probably after getting a call from a remote saying they can't log into the network.
apologies if I'm leading you up a blind alley here
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...