Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA-To-ASA Dynamic-to-Static IPSEC Help

I have an ASA 5510 that has a static IP with a site-to-site IPSEC tunnel to an ASA 5505 with a static IP and that works great.

However, I know need to create another tunnel from the ASA 5510 to a different ASA 5505, but this 5505 has a dynamic IP.

I need specific steps on how I go about created the tunnel to the ASA 5505 that has the dynamic IP without messing up my other tunnel. I know I need to create a Dynamic Crypto Map, but that is all I am sure of.

Please help.

It would be nice if I could do this through ASDM, but if not CLI will work just fine.


Re: ASA-To-ASA Dynamic-to-Static IPSEC Help

Refer the following configuration example,

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 3600

isakmp enable outside

access-list 100 extended permit ip source_ip dest_ip

nat (inside) 0 access-list 100

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes


crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside