In order to configure a LAN-to-LAN tunnel between a Cisco IOS router and an Adaptive Security Appliance (ASA), these configurations are required on the ASA:
Refer to this configuration example in order to configure the ASA:
isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 3600 isakmp enable outside access-list 100 extended permit ip source_ip 255.255.255.0 dest_ip 255.255.255.0nat (inside) 0 access-list 100tunnel-group DefaultL2LGroup type ipsec-l2ltunnel-group DefaultL2LGroup general-attributes authentication-server-group nonetunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map cisco 1 set transform-set myset crypto map dyn-map 20 ipsec-isakmp dynamic cisco crypto map dyn-map interface outside
The router is configured for a normal LAN-to-LAN tunnel, because the router knows the destination IP address for the VPN tunnel.
Refer to the Branch Router configuration example in IPsec: Router-to-PIX Security Appliance 7.x and Later or ASA Configuration Example in order to configure the router for VPN connectivity to a PIX/ASA firewall.
Note: In this configuration, only the router or the internal network of the router is able to access the tunnel, because it knows the destination IP address, but the ASA does not.
Refer to the configuration example in Configuring IPSec LAN-to-LAN tunnel between the Cisco Pix Firewall and a NetScreen Firewall in order to configure IPSec LAN-to-LAN tunnel between PIX/ASA and Netscreen Firewall.