Take the debugs (debug cry isakmp & debug cry ipsec) and check which side is initiating the tear down of the tunnel. You can configure syslog to captures the debugs.Once we have the debugs of the time of issue it would be easier to proceed further.
The motive of your customer is not very clear. If the motive is to hide the remote (RDP) addressess then we can do it by natting (Static or Dynamic). We can allow the natted IP as interested traffic over the VPN tunnel. Because if we are getting the...
VPN peer IP and interesting traffic acls can have the same ip but just check if Cisco Box is able to peer with Linux. If not then do take isakmp and ipsec debugs.
Remote EzVPN clients are able to connect to the Headend ASA5520 but cannot communicate among themselves. Is it correct understanding?Are all the EzVPN clients terminated on different outside physical interface of the ASA? If not then we will have to ...