Problem was the SNMP management station was attempting to poll the outside interface of the remote peer (the PIX 501). This firewall had traffic from its outside interface to the network that the SNMP management station resides in specified as interesting traffic in the ACL that the crypto map specified.
On the VPN Concentrator side though, I had only specified the remote peer's local network in the "Configuration | Tunneling and Security | IPSec | LAN-to-LAN" connection section's Remote network.
I changed this to use a Network List i created to include both the remote local network and the remote peer's outside interface.
This sorted the problem straight away, as now the remote peer (PIX 501) was receiving encrypted traffic to its outside interface from the SNMP management station's local network, as it was expecting to, whereas before it was receiving unencrypted traffic, yet it was expecting to receive it encrypted.
Goes to prove that ACLs on each peer must match, else you get into all sorts of a muddle.
I will try out your solution in a test environment, and see if that works too.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...