Strange L2L VPN behaviour

Unanswered Question
Apr 23rd, 2009
User Badges:

Guys, I have a L2L VPN setup between an ASA and a 857 - the stripped down config of the ASA is below:

access-list nonat extended permit ip <local-ip> <remote-ip>

access-list nonat extended permit ip <local-ip2> <remote-ip>

access-list outside_cryptomap_81 extended permit ip <local-ip> <remote-ip>

nat (inside) 0 access-list nonat

route outside <remote-ip> internode-gw 1

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES esp-3des esp-none

crypto map outside_map1 81 match address outside_cryptomap_81

crypto map outside_map1 81 set peer <ip-addr>

crypto map outside_map1 81 set transform-set ESP-3DES-SHA

crypto map outside_map1 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map1 interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

tunnel-group <ip-addr> type ipsec-l2l

tunnel-group <name> ipsec-attributes

pre-shared-key *


I am able to ping hosts from both directions (on both local subnets) - but if I specify <local-ip2> in the cryptomap acl then I am no longer able to ping devices in that subnet from the remote site.

Any help would be appreciated


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dancarrick Thu, 04/23/2009 - 23:08
User Badges:

857 config as below:

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp key address

crypto isakmp keepalive 30



crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec df-bit clear


crypto map 2 ipsec-isakmp

description Tunnel to

set peer

set transform-set ESP-3DES-SHA1

match address IPSec_tunnel


ip nat inside source route-map RMAP_1 interface Dialer0 overload


ip access-list extended IPSec_tunnel

remark Tunnel these addresses

permit ip

permit ip


This Discussion