ASA 5505's will work fine for that, it is called an L2L (Lan-to-LAN) tunnel.
There are some key things you need to identify before you begin, is the ASA behind a device that is performing NAT? If so you will need to enable nat-traversal on the ASA (isakmp nat-traversal).
You will also need to identify the phase 1 and phase 2 crypto settings:
Phase 1 (ISAKMP)
Encryption type (AES, 3DES)
Hash (SHA, MD5)
Hellman Group (Typically group 2)
Lifetime (Default is 86400)
Authentication type (Probably pre-shared key)
Phase 2 (Probably IPSEC)
Are you going to use PFS (easiest to just disable it)
The IP address of the end device
Transform set to use (3DES/MD5, 3DES/SHA, AES/Md5 etc.)
Next you need to identify local traffic, remote traffic and traffic not to go through the tunnel (internet etc, IE Split tunnel).
Now we can start building the configuration. I would start with the Access-list:
Let's first permit the local network to talk to the remote network (local is 10.1.1.0/24, remote is 10.2.2.0/24 in this example):
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
Now we need to specify that when we send traffic to that destination, we don't want to NAT the traffic (note, the ACL name is "nonat" this name should match whatever you already have configured in the line "nat (inside) 0 access-list nonat" if that is not already configured, you need to add it).
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
This will also define your split tunnel, as anything not defined in the access-lists will be NAT'd out your normal connection.
Next you need to configure your transform sets, this will define all of your transfrom sets, the lower case are the commands, the upper case lines are the "names" that you will reference in phase 2 configurations, you can copy and past this into your ASA, it wont hurt anything:
For phase 1 configuration, here are 2 examples, first one uses 3DES and Md5, the second uses AES and SHA, you can copy and paste those also, you can have as many ISAKMP policies as you would like, just as long as there is a match on both sides:
crypto isakmp policy 10
crypto isakmp policy 20
You also need to enable phase 1 on the outside interface:
crypto isakmp enable outside
and if you need to enable nat-t:
crypto isakmp nat-traversal
Now you need to config phase 2 (replace with the VPN concentrators IP address) also not this is using the 3DES / SHA transform set, replace that with anything you want to use from teh above list:
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
Lastly you will need to setup a tunnel-group, use the EXACT same IP you put in your phase 2 public IP:
tunnel-group type ipsec-l2l
If you are doing an EzVPN connection, than this is going to be a bit different, but that is the L2L configuration for the ASA.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...