Existing and working configuration in ASA-5550 for static Lan-to-Lan IPSEC VPN Tunnel for branchoffice 1 -------------------------------------------------------------------------------------------------------- access-list outside_60_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.150.171.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.150.171.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 60 match address outside_60_cryptomap crypto map outside_map 60 set pfs crypto map outside_map 60 set peer 195.178.13.2 crypto map outside_map 60 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group 195.178.13.2 type ipsec-l2l tunnel-group 195.178.13.2 ipsec-attributes pre-shared-key cisco1234567890 Implemented New Dynamic configuration in ASA-5550 for branchoffice 2 -------------------------------------------------------------------- access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 crypto ipsec transform-set router-set esp-3des esp-md5-hmac crypto dynamic-map hwic-router 1 set transform-set router-set crypto dynamic-map hwic-router 1 set reverse-route crypto map dyn-map 10 ipsec-isakmp dynamic hwic-router crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key cisco123 branchoffice 2 IOS-Router-1841 configuration -------------------------------------------- crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco123 address 65.190.88.5 crypto ipsec transform-set ASA-set esp-3des esp-md5-hmac crypto map ASA 10 ipsec-isakmp set peer 65.190.88.5 set transform-set ASA-set match address 101 interface Cellular0/1/0 crypto map ASA interface Dialer1 crypto map ASA ip route 0.0.0.0 0.0.0.0 Dialer1 access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.1.0.0 0.0.0.255 access-list 110 deny ip 192.168.1.0 0.0.0.255 10.1.1.0.0 0.0.0.255 access-list 110 permit ip 192.168.1.0 0.0.0.255 any ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload route-map SDM_RMAP_1 permit 1 match ip address 110