Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA5550 Crypto isakmp key ********** address

Migrating from 7206VXR to ASA5550.

The following crypto statement works on the VXR router but is not accepted by the ASA. It allows me to enter just but then says I can only setup L2L in aggresive mode. Any thoughts on how to allow any address to create a L2L tunnel?

crypto isakmp key **** address


Re: ASA5550 Crypto isakmp key ********** address

If Im not mistaken crypto isakmp key **** address is to allow IOS router to accept dynamic IPsec peer connections in a L2L scenario.

To achive this in ASA you will need to configure Dynamic to static IPsec L2L tunnels between your ASA5550 that has static public IP on outside interface and your peers that are dynamic non-static assigments.

have a look here

L2L between Static ASA/PIX and router Dynamic IP

L2L PIX-to-PIX Static and Dynamic



Re: ASA5550 Crypto isakmp key ********** address

AFAIR, the ASA will give you an warning message. But if you look at 'show run tunnel-group' you will see this key.

In the ASA 7.x code, the old crypto isakmp key is no longer used. Instead keys are entered under the tunnel group >> ipsec attributes.



Community Member

Re: ASA5550 Crypto isakmp key ********** address

Thanks Farrukh,

I ended up using a DMVPN config with the tunnel group statements as you mentioned. It worked like a charm however it only works in aggressive mode which ends up failing our PCI compliance. So it looks like I will have to just write up a compensating controls document to account for it. I appreciate the feedback I received.

CreatePlease to create content