We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 642 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

488 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hi Rene,

    I can’t understand How ASA1 recognizes dynamically the peer IP address with the command

    ASA1(config)# tunnel-group DefaultL2LGroup ipsec-attributes


    ASA1(config)# tunnel-group ASA1_ASA2 type ipsec-l2l
    ASA1(config)# tunnel-group ASA1_ASA2 ipsec-attributes

    Could you please help me to describe how they are working ??


  2. Thanks for all the explanations, but please I have a question "should my WAN LINK caries a public IP address or should I assign any?

  3. Hello Rene,

    Can this setup be applied to an ASA with a static then IKEV1 tunnels to dynamic Cisco 871 routers?


  4. Hi John,

    For your access-lists, something like this should work:

    access-list ASA1_ASA2 extended permit ip any

    access-list ASA2_ASA1 extended permit ip any

    This allows all hosts in the subnet to go through the VPN tunnel to any destination (including the Internet). Don’t forget to configure NAT somewhere…like those routers.

    About adding that second peer, is there any overlap with your crypto map (or access-lists) that could cause this? Make sure each peer “lands” on the correct tunnel group.


5 more replies! Ask a question or join the discussion by visiting our Community Forum