Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Dynamic L2L between ASA 5505


we're realizing a project with 5x ASA 5505 Base License and one 5512-X in a computing center. The 5 branches shall be work as dynamic sites, because they are all running on dynamic internet connection. I read, that on the main site (ASA 5512-X) the access from dynamic IPs must be permit, so that a IKE-Exchange and the IPsec tunnel can be established.

We all are new to Cisco ASA devices. I read a lot in "Cisco ASA configuration" written by Richard A. Deal and "Cisco ASA: All-in-one firewall.." written by Frahim & Santos. Everywhere only static L2L tunnels are discussed, but dyn. L2L scripts are missing.

I've done all the config with ASDM, but have read many CLI configurations also.

I got different failures in ASDM syslog, depending on which mode I choose.

I paste the conf. of both ASA 5505 (for test-tunnel). Later 5505 and 5512-X will be connected.

One comes with dynamic cryptomap and the other with static.

I will be grateful if someone could figured out what's the problem.



Config is attached.

Everyone's tags (5)
Super Bronze

Dynamic L2L between ASA 5505


Here is one good document giving example of a configuration where you have a central site with Static public IP address and all the remote sites have Dynamic IP address from which they connect.

- Jouni

Community Member

Re: Dynamic L2L between ASA 5505

Hi JouniForss,

thanks for you're early reply.

I know this tutorial yet. I've tried it one time, but didn't work out. Maybe I made a mistake. I'll try it again.

When I configure dynamic tunnels, ADSM / CLI output says something like "dynamic l2l tunnels will fail if no cert. will be used and/or agressive mode is not used on peer". Sry, I don't got the message with me a.t.m.

1) Which mode do I have to use for tunnel build-up process? AM or MM? Do I really need to use AM?

Furthermore I'd rather prefer to use IKEv2, because tunnel build-up process shall work less fault-prone than IKEv1.
2) Is it the same procedure as IKEv1 or do I have to consider some special points?


3) What's about naming the tunnel-profiles / tunnel-groups? Is it necessary to match the tunnel-profile name? Does it has a consequence when writing the connection name in addition to the peer IP in connection profile on dynamic site?

Community Member

Re: Dynamic L2L between ASA 5505

Anyone other who can answer me these few questions?

CreatePlease to create content