Relevant portion of the Pix 515e 6.3 VPN Config
...
static (inside,outside) 172.25.0.1 10.0.0.1 netmask 255.255.255.255
static (inside,outside) 172.25.0.2 10.0.0.2 netmask 255.255.255.255
crypto map MyMap 8 match address MyVPN-protect
crypto map MyMap 8 set peer 172.30.0.50
...
access-list MyVPN-protect permit ip host 172.25.0.1 172.30.0.0 255.255.255.0
access-list MyVPN-protect permit ip host 172.25.0.2 172.30.0.0 255.255.255.0
My question is whether or not it is necessary to add a line to the crypto acl:
access-list MyVPN-protect deny ip any host 172.30.0.50
since the crypto acl contains the remote gateways IP. My initial assumption is that it would not be necessary as the crypto acl specifies only two hosts as the src, but adding a deny seems to have cleared up a similar issue I have been having.
The above config (not including the deny) was not showing any packets between the gateway peers (debug packet ...) until I added the deny, and it then immediately started working.
In short if anyone could confirm the behavior of the Pix when the remote gateway IP is included in the crypto acl I would appreciate it.