Agreed, it would definitely make more sense to get static IPs for these types of connections. The problem is that for some locations static is simply not offered. Not only that, but the freedom to be able to plug in a cheap firewall (that we already own) that establishes an IPSEC connection instantly supports our DR strategy and provides us with alot of flexibility.

I think I've nailed the issue down to how the astaro treats remote gateway ipsec connection requests. The pixes use dynamic crypto maps, while the Astaro uses the configuration of the remote gateway (set to "respond"). Therein somewhere lies the answer, but I need to find the elusive engineer that has actually made this happen successfully. I just find it hard to believe that this can be done easily with 7 year old technology, but not with the newer Astaro.

As always, any ideas would be greatly appreciated....and I'm upping the offer to send 3 pix 501s with 50 ip user licenses to whoever can figure this out (continental US only). (-: Can you tell I'm desperate???

Thanks much,

-billy