Right this really is starting to get annoying.....
Doing a test this morning a 506e & a 501 was no problems whatsoever, it just worked.
changing the IPs to the co-location sites IP addresses I would have thought would have worked, but it doesn't
Either I am doing something incredibly stupid or the engineer at the other end hasn't a clue
I've had my Manager have a quick gander at the cofig I've bashed together but he wasn't able to spot ant obvious mistakes.
Anyhow
I now have:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
...
access-list xxx permit ip "Local LAN" /24 "Access VPN pool" /24
access-list xxx permit ip "Local LAN" /24 "Co-Location" /24
.....
access-list yyy permit ip host "Server1" "Co-Location" /24
access-list yyy permit ip host "Server2" "Co-Location" /24
......
global (outside) 1 interface
nat (inside) 0 access-list xxx
......
route outside 0.0.0.0 0.0.0.0 "GW IP" 1
......
sysopt connection permit-ipsec
.....
crypto ipsec transform-set "company" esp-3des esp-md5-hmac
crypto ipsec transform-set "Co-Location" esp-3des esp-sha-hmac
.......
crypto dynamic-map "company" 10 set transform-set "company"
.......
crypto map "company" 20 ipsec-isakmp
crypto map "company" 20 match address "yyy"
crypto map "company" 20 set peer "Co-Location ASA IP"
crypto map "company" 20 set transform-set "Co-Location"
crypto map "company" 30 ipsec-isakmp dynamic "Company"
crypto map "company" client token authentication "RSA aaa-server alias"
crypto map "company" interface outside
........
isakmp enable outside
isakmp key "Secret" address "Co-Location ASA IP"
isakmp identity address
isakmp nat-traversal 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
Policy 10 is for Access-VPNs
Policy 20 is for the S2S