Guys, I have a L2L VPN setup between an ASA and a 857 - the stripped down config of the ASA is below:

access-list nonat extended permit ip <local-ip> 255.255.255.0 <remote-ip> 255.255.255.0

access-list nonat extended permit ip <local-ip2> 255.255.255.0 <remote-ip> 255.255.255.0

access-list outside_cryptomap_81 extended permit ip <local-ip> 255.255.0.0 <remote-ip> 255.255.255.0

nat (inside) 0 access-list nonat

route outside <remote-ip> 255.255.255.0 internode-gw 1

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES esp-3des esp-none

crypto map outside_map1 81 match address outside_cryptomap_81

crypto map outside_map1 81 set peer <ip-addr>

crypto map outside_map1 81 set transform-set ESP-3DES-SHA

crypto map outside_map1 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map1 interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

tunnel-group <ip-addr> type ipsec-l2l

tunnel-group <name> ipsec-attributes

pre-shared-key *

!

I am able to ping hosts from both directions (on both local subnets) - but if I specify <local-ip2> in the cryptomap acl then I am no longer able to ping devices in that subnet from the remote site.

Any help would be appreciated

Dan