Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Strange L2L VPN behaviour

Guys, I have a L2L VPN setup between an ASA and a 857 - the stripped down config of the ASA is below:

access-list nonat extended permit ip <local-ip> <remote-ip>

access-list nonat extended permit ip <local-ip2> <remote-ip>

access-list outside_cryptomap_81 extended permit ip <local-ip> <remote-ip>

nat (inside) 0 access-list nonat

route outside <remote-ip> internode-gw 1

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES esp-3des esp-none

crypto map outside_map1 81 match address outside_cryptomap_81

crypto map outside_map1 81 set peer <ip-addr>

crypto map outside_map1 81 set transform-set ESP-3DES-SHA

crypto map outside_map1 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map1 interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

tunnel-group <ip-addr> type ipsec-l2l

tunnel-group <name> ipsec-attributes

pre-shared-key *


I am able to ping hosts from both directions (on both local subnets) - but if I specify <local-ip2> in the cryptomap acl then I am no longer able to ping devices in that subnet from the remote site.

Any help would be appreciated


New Member

Re: Strange L2L VPN behaviour

857 config as below:

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp key address

crypto isakmp keepalive 30



crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec df-bit clear


crypto map 2 ipsec-isakmp

description Tunnel to

set peer

set transform-set ESP-3DES-SHA1

match address IPSec_tunnel


ip nat inside source route-map RMAP_1 interface Dialer0 overload


ip access-list extended IPSec_tunnel

remark Tunnel these addresses

permit ip

permit ip

New Member

Re: Strange L2L VPN behaviour

Can anyone shed any light on this problem?