Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help Config ASA 5505 to ASA 5510 Dynamic L2L VPN

I am having trouble getting my L2L VPN between two sites working.

Site 1 ASA 5510 - dynamic outside interface IP

Site 2 ASA 550 - static outside interface IP

When I do a static to static it works just fine but since the outside interface will change eventually I would like to set it up dynamically.

Here is what I am using on Site 2

     crypto dynamic-map mobile 1 set transform-set 3DES

Site 1 is using IOS 8.5 so I am using ikev1 config.

Can someone help me understand how to configure the dynamic mobile map for Static ASA to Dynamic ASA L2L


VIP Green

Help Config ASA 5505 to ASA 5510 Dynamic L2L VPN

What is the rest of your configuration?  Have a look at this example and compare it with yours.

access-list LIST extended permit ip

crypto ipsec ikev1 transform-set MYSET esp-3des esp-sha-hmac

crypto dynamic-map MAP 1 match address LIST

crypto dynamic-map MAP 1 set peer

crypto dynamic-map MAP 1 set ikev1 transform-set MYSET

crypto map MYMAP 1 ipsec-isakmp dynamic MAP

crypto map MYMAP interface outside

-- Please remember to rate and select a correct answer
New Member

Help Config ASA 5505 to ASA 5510 Dynamic L2L VPN

Ok, thanks below is the remainder. I was told that you have to use Easy VPN between ASA 5505 and 5510 in this scenario. Again, the scenario is this. I have a 5510 whose outside interface is connected to a Bell hot spot (temporary until circuit arives) using DHCP which changes a lot. I need to do L2L VPN to an ASA 5505 that is normal config, static outside public IP etc. Both have the same dynamic crypto config. I am not including NAT info as it works fine usin packet trace. Alos, from 5505 if I capture debug and get outside hot spot IP and setup a static L2L it works fine ... well, for a while until the IP changes. so Natting and L2L has been proven out.

ASA 5510

access-list 5505 extended permit ip 10.x.0.0 10.x.0.0

crypto dynamic-map mobile 1 set ikev1 transform-set 3DES

crypto ipsec ikev1 transform-set 3DES esp-3des esp-sha-hmac

crypto map vpn 1000 ipsec-isakmp dynamic mobile

Help Config ASA 5505 to ASA 5510 Dynamic L2L VPN

Hello Jim,

I actually wrote down a document on my website about it,

I think it would make it pretty clear for you:

Here it its


Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at I will fix your problem ASAP. Cheers, Julio Carvajal Segura