Thanks guys, I actually got it working in the end (the crytp map on the 6.3 PIX was incorrect, syntax looked fine according to the docs I saw but the PDM said it was wrong, recreated it using the PDM and bob's a relative of yours).
The thing thats screwing me up now is restricting the VPN further than "extended permit IP".
What I'd like to setup is the VPN only accepting RDP traffic (TCP:3389) from the old firewall (internal:10.10.0.0/16) to the new firewall (internal:192.168.0.0/16 & DMZ:172.16.0.0/16).
At the moment with the following rules:
New Firewall:
access-list outside_cryptomap_10 extended permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0
Old Firewall:
access-list outside_cryptomap_10 permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0
These rules allow me to send any traffic I like between the two. However when I try and restrict this traffic to just RDP (i'd settle for bi-directional RDP atm) the firewalls complain that the sets don't match.
I've tried changing it so its source=TCP:>1024 and destination TCP:3389 on the old firewall, and putting the same rule in the new firewall with no joy, I've tried switiching around the orders of the various components with no luck either.
The only thing I can see is an error on the new firewall stating it doesn't have a crypt map for source 10.10.0.0 dest 192.168.0.0, but I can't add this to the firewall as the source network is on the wrong firewall interface.
I think I've missed something obvious here, I'll go look at the docs you guys have already posted in the meantime. hopefully someone can put me out of my misery here :)
