I have some IOS routers that have two interfaces connected to two different ISPs. One interface is a T1 and has a static IP. The other is ADSL, dynamic IP. The idea is that these routers use the T1 interface to connect to HQ via a static/permanent IOS-to-PIX tunnel. The other interface is used as a backup and will be brought up only if the T1 fails. In order to do this I setup the PIX as below.
My problem is that the IOS router comes in on a different IP but the ACL that defines the subnet is still the same whether it connects via the static or dynamic link. After many hours of troubleshooting I found that because there is a matching subnet ACL in a static crypto map sequence the dynamic tunnel will not work. I see the PIX trying to send packets on the static sequence even though the peer and transform do not match.
This seems like some bug. Is there a way around it? I am running 6.2.2 on the PIX.
Thanks,
Diego
crypto dynamic-map dynmap 1 set transform-set vpnset-backup
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address 101
crypto map vpnmap 10 set peer 1.1.1.1
crypto map vpnmap 10 set transform-set vpnset
crypto map vpnmap 20 ipsec-isakmp
crypto map vpnmap 20 match address 102
crypto map vpnmap 20 set peer 2.2.2.2
crypto map vpnmap 20 set transform-set vpnset
crypto map vpnmap 100 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside