Could you please create a separate match address ACL on the ASA and PIX to apply to the crypto map (without the unnecessary addresses and permit esp any any) and let me know how it goes? And also Could you please remove the crypto maps and isakmps from the outside interfaces, remove the "permit esp any any" lines from the match address ACLs, and reapply the crypto maps and isakmps.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...