We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 588 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


319 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hi Rene,

    I can't understand How ASA1 recognizes dynamically the peer IP address with the command

    ASA1(config)# tunnel-group DefaultL2LGroup ipsec-attributes


    ASA1(config)# tunnel-group ASA1_ASA2 type ipsec-l2l
    ASA1(config)# tunnel-group ASA1_ASA2 ipsec-attributes

    Could you please help me to describe how they are working ??


  2. Hi Zaman,

    On ASA2 you will find this line:

    ASA2(config)# crypto isakmp identity key-id ASA1_ASA2

    When ASA2 tries to connect to ASA1, it will use "ASA1_ASA2" to identify itself. This will help ASA1 to decide which tunnel group to pick:

    ASA1(config)# tunnel-group ASA1_ASA2 type ipsec-l2l

    ASA1 will accept connections from any IP address.


  3. Hi Mark,

    Configure the ASAs without the standby IP on the outside interface is no problem. The standby IP is used for management and to monitor the interface (by sending hello packets). If you do specify a standby IP on the inside interfaces then you can use that to access your standby ASA. When your primary ASA fails, it will be notified through the failover link and your standby ASA will take over.


  4. Hello Rene,

    Can this setup be applied to an ASA with a static then IKEV1 tunnels to dynamic Cisco 871 routers?


  5. Hi Jesse,

    That's no problem at all, just keep in mind that your routers will have to initiate the connection.


4 more replies! Ask a question or join the discussion by visiting our Community Forum