The access-list on the crypto map that you should see should be as follows:
access-list permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
Assuming that you have ASA firewall. If you are using router, then the access-list would use wildcard mask:
access-list permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
The remote end should have the mirror image access-list, so the remote end would say:
access-list permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
ACL does not tell you which site can initiate the connection. Typically both sides can initiate the connection, unless if one end has dynamic public ip address as the VPN termination point on the outside interface, then only the dynamic end can initiate the tunnel.
If it's static crypto map, instead of dynamic crypto map, then typically both sides can initiate the tunnel. Crypto ACL needs to mirror image on both sides.
The crypto ACL does not seem correct. Looks like someone has configured it both ways which is incorrect. It should only be in one direction, ie: source: local LAN, and destination: remote LAN.
From your example, if 10.1.1.0/24 is the local LAN, and 10.2.2.0/24 is the remote LAN:
On the local ASA:
access-list ABC permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
On the remote ASA:
access-list ABCpermit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
Dynamic crypto map is used for VPN Client connection, and/or VPN that has dynamic IP Address. Because the IP address changes for the VPN peer that has dynamic IP, and for VPN Client, we never know what ip address the VPN Client will be connecting from, dynamic crypto map is used.
Static crypto map is used when the remote end has static VPN Peer ip address.
Hi thanks for the reply so it means that it does matter which sites initiate the connection even if I have a mail server which is 10.1,1,1 and client 10.2.2.0 is accessing it ......still in that case it shd be the same AcL as my local LAN and destination shd be 10.2.x network .......it will work ??? Suppose if the mail server starts initiating still it will work ?? Thanks again
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :