I don't think you want to be changing the VPN peer configuration everytime the lease expires ;-)
That's exactly the reason of being able to configure a static-to-dynamic VPN.

Both crypto ACL and nonat ACL can be called the same as long as you have a single tunnel.
When you have more than one tunnel, there has to be different ACLs.

Federico.

I agree, I'm just saying that there's no reason why it shouldn't work  the way it is (even though it doesn't make the most sense).  He can then also initiate traffic from both sides instead of just the dynamic.  It would be nice if you could define peer using dynamic dns.

I've removed both of those lines from the ASA and still cannot access anything on the other side.  I have talked to the ISP that the PIX is attached to and they say that incoming VPNs are not blocked.  When I do the debug cry is 127 and debug cry ip 127 now nothing shows up at all when I ping the other network.

Since PIX is the dynamic site, you would need to ping from the PIX LAN towards the ASA LAN. If you try to ping from ASA towards the PIX, it will not initiate the VPN tunnel as you can only initiate the tunnel from the dynamic end towards the static end.

Base on the output of the first debug you posted, it's waiting for Phase 1 message 2, but that was when ping was initiated from the ASA end, instead of PIX end. However, it's worth to double check if UDP/500 is being blocked on either the router in front of your PIX or ASA.

This is the output from the PIX when I try to ping the ASA.

PIX# sh cry isa sa

Total     : 1

Embryonic : 1

        dst                       src                       state                        pending     created

        xxx.xxx.xxx.xxx   yyy.yyy.yyy.yyy    MM_NO_STATE           0               0

PIX# sh cry ip sa

interface: outside

    Crypto map tag: CRYPTO_MAP, local addr. yyy,yyy,yyy,yyy

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

   current_peer: xxx.xxx.xxx.xxx:0

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 91, #recv errors 0

     local crypto endpt.: yyy.yyy.yyy.yyy, remote crypto endpt.: xxx.xxx.xxx.xxx

     path mtu 1500, ipsec overhead 0, media mtu 1500

     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Did you try to ping from the PIX or from LAN behind the PIX?

If you tried to ping from the PIX, please try to ping as follows: ping inside 10.0.1.1

Also try to remove the static crypto map completely from the ASA as follows:

no crypto map CRYPTO_MAP 10 match address l2l_list

no crypto map  CRYPTO_MAP 10 set transform-set TRANSFORM_SET

no crypto dynamic-map DYN_MAP 10 match address l2l_list

I've removed those three lines from the ASA and then tried pinging the ASA from the PIX and these are the response I get.

PIX# ping inside 10.0.1.1

        10.0.1.1 NO response received -- 1000ms

        10.0.1.1 NO response received -- 1000ms

        10.0.1.1 NO response received -- 1000ms

PIX# ping outside 10.0.1.1

        10.0.1.1 response received -- 10ms

        10.0.1.1 response received -- 10ms

        10.0.1.1 response received -- 10ms

Not too sure how you are getting a response when ping is initiated from the outside interface of the PIX.

After you tried to ping from the PIX, is the tunnel up? what is the status of "show crypto isa sa" and "show crypto ipsec sa"?

PIX# sh cry isa sa

Total     : 1

Embryonic : 1

        dst                       src                       state                        pending     created

        xxx.xxx.xxx.xxx   yyy.yyy.yyy.yyy    MM_NO_STATE           0               0

PIX# sh cry ip sa

interface: outside

    Crypto map tag: CRYPTO_MAP, local addr. yyy,yyy,yyy,yyy

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

   current_peer: xxx.xxx.xxx.xxx:0

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 91, #recv errors 0

     local crypto endpt.: yyy.yyy.yyy.yyy, remote crypto endpt.: xxx.xxx.xxx.xxx

     path mtu 1500, ipsec overhead 0, media mtu 1500

     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

I added isakmp enable outside to both devices and now I can ping and browse the systems on the 10.0.1.0 network from the PIX side.

I still don't receive a response when I try to ping the ASA which is 10.0.1.1, but when I ping the other address I get a response.  I cannot browse the computer's on the ASA side by name but I can get to them by their ip addresses.

OK, great, now the VPN tunnel is up and running.

To ping the ASA inside interface, you would need to add "management-access inside" on the ASA.

If you can't browse the computer by name on the ASA side from the PIX side, you would need to configure either the ASA side DNS or WINS server on the PIX hosts so it can resolve the name.