Contrary to both Software client 4.x and IOS Easy VPN client VPN3002 suggests to establish *two* pairs of SAs to an Easy VPN server: Outside3002IP/32<->OutsideServerIP/32 and AddressFromPool/32<->CentralSiteLAN/xx. You can probably verify this in the debug output of your PIX -- look at "Proxy identities" or somthing like this (I haven't work with PIX OS 7 yet). The first SA may be the source of your problem as the Server policy should allow to establish such SA. I think that, if the VPN 3002 IP is assigned dynamically, the only way to work around this problem is to use any<->any Proxy IDs on the PIX for Remote-access users (you've never seen configuration of the IOS EasyVPN server with Crypto ACL applied to the Dynamic crypto map, right?). The real question here is why should this approach break Site-to-Site tunnels on the PIX if it works on IOS routers???
Maintenance release 22.214.171.124 was posted last night. I downloaded it and gave it a try even though the release notes gave no indication of addressing an issue like this. I'm currently usign an implicit any any dynamic crypto map until I can figure out why this issue is only being seen with the 3002 HW client. I took another look at the ASA debug and it does complain about not knowing about the proxy identity in the crypto map (why would this only be an issue with the 3002?).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...