Yes you create another instance using a next number in the same crypto map (you could use outside_map 2 or could use outside_map 10 or whatever next number you choose). In the new instance you specify a different peer and different ACL). I have done this numerous times and it works quite well.

HTH

Rick

this is my configuration on ASA

access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.0 192.168.1.0 255.255.255.0

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer A.B.C.E.

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 set peer E.F.G.H.

crypto map outside_map 2 set transform-set ESP-DES-SHA

crypto map outside_map 2 set security-association lifetime seconds 28800

crypto map outside_map 2 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group A.B.C.D. type ipsec-l2l

tunnel-group A.B.C.D. ipsec-attributes

pre-shared-key *

tunnel-group E.F.G.H. type ipsec-l2l

tunnel-group E.F.G.H. ipsec-attributes

pre-shared-key *

Configuration on Router

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key * address xxxx

crypto isakmp key * address E.F.G.H.

!

!

crypto ipsec transform-set AES_256_SHA esp-aes 256 esp-sha-hmac

crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac

!

crypto map 111 ipsec-isakmp

set peer E.F.G.H

set transform-set AES_256_SHA

match address NET011

group 2
lifetime 28800

crypto isakmp key * address E.F.G.H.
!
!
crypto ipsec transform-set AES_256_SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
!
crypto map 10 11 ipsec-isakmp
  set peer E.F.G.H set transform-set ASA-IPSEC
match address NET011

ip access-list extended NET011

permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.16 10.11.0.0 0.0.255.255

I see a couple of details that should be corrected and there is perhaps a larger question to discuss.

In the ASA there is a line missing which should be like this

crypto map outside_map 2 match address outside_2_cryptomap

In the router access list you have

permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.16 10.11.0.0 0.0.255.255

so in one line 192.168.1.0 is the destination and in the other line that same network is the source. Perhaps I do not understand your environment well enough, but it is hard for me to understand how in the same access list the same subnet is both source and destination. Perhaps we need more information about the topology of the networks and a better understanding of what you are trying to accomplish.

The larger question is that when I originally read your post I assumed that the ASA would have two tunnels and that each tunnel would terminate on a separate router. This scenario works fine. But it appears in the most recent post that perhaps both tunnels are terminating on the same router. This is a problem. I do not believe that it will work to have two tunnels from the ASA with both going to the same router.

I would think it was possible to put both kinds of traffic into a single tunnel. Or is there some reason that you need separate tunnels that I do not yet understand. Perhaps you can clarify this for us.

HTH

Rick

Thank you for the clarification. So the site to site tunnel between the ASA and router B is working ok? Now you are trying to get a tunnel working between ASA and router A? There are a few other things for which clarification would be helpful.

- what are the inside addresses of the ASA that will send traffic through the tunnel? And what are the inside addresses of router A that will send traffic through the tunnel? These go into the ACL that identifies traffic for the VPN tunnel.

- and for comparison perhaps you could post the  ACL used for the traffic to router B?

- can you verify that the key configured on the ASA matches the key configured on router A?

- in an earlier post the router seems to be using this transform set to communicate with the ASA

crypto ipsec transform-set AES_256_SHA esp-aes 256 esp-sha-hmac

but I do not see anything like that in the ASA config.

So perhaps it would be helpful if you post a fresh copy of the config from the ASA and from router A.

HTH

Rick

Yes ,Now i want to connect router A with ASA. ineside address of the ASA are 10.11.0.0. / 16  and Router A 192.168.1.0 /24. Keys are matches.

On Router

crypto isakmp policy 2

encr aes 256

authentication pre-share

!

crypto isakmp policy 105

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key * address abcd

crypto isakmp key * address efgh

!

!

crypto ipsec transform-set AES_256_SHA esp-aes 256 esp-sha-hmac

crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac

!

crypto map 105 11 ipsec-isakmp

set peer efgh

set transform-set ASA-IPSEC

match address NET011

ip access-list extended NET011

permit ip host 192.168.105.3 10.11.0.0 0.0.255.255

permit ip 192.168.105.0 0.0.0.16 10.11.0.0 0.0.255.255

access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.240 19

2.168.105.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.240 19

2.168.105.0 255.255.255.0

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 195.178.56.186

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer abdc

crypto map outside_map 2 set transform-set ESP-DES-SHA

crypto map outside_map 2 set security-association lifetime seconds 28800

crypto map outside_map 2 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer abcd

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer efgh

crypto map outside_map 2 set transform-set ESP-DES-SHA

crypto map outside_map 2 set security-association lifetime seconds 28800

crypto map outside_map 2 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.11.11.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.101-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group adcd type ipsec-l2l

tunnel-group abcd ipsec-attributes

pre-shared-key *

tunnel-group abcd type ipsec-l2l

tunnel-group abcd ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

crypto isakmp policy 2
encr aes 256
authentication pre-share
!
crypto isakmp policy 105
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key * address abcd

crypto isakmp key * address e.f.g.h.

crypto ipsec transform-set AES_256_SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac

crypto map 105 11 ipsec-isakmp
set peer e.f.g.h
set transform-set ASA-IPSEC
match address NET011

ip access-list extended NET011

permit ip 192.168.1.0 0.0.0.16 10.11.0.0 0.0.255.255

On ASA

access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.240 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.240 192.168.1.0 255.255.255.0

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer a.b.c.d

crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer E.F.G.H.

crypto map outside_map 2 set transform-set ESP-DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer abcd

crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer efgh
crypto map outside_map 2 set transform-set ESP-DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group A.B.c.d type ipsec-l2l
tunnel-group A.b.c.d. ipsec-attributes
pre-shared-key *
tunnel-group e.f.g.h type ipsec-l2l
tunnel-group e.f.g.h ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters   

Thanks for posting the output with the debug information. It shows that

Phase1 SA policy proposal not accepted

My original thought had been that there might be a mismatch in the pre-shared key. But you say that they match and the debug output seems to agree. So we need to look carefully at the phase 1 parameters.

One thing that I notice is that the access list on the router has an invalid mask

ip access-list extended NET011

permit ip 192.168.1.0 0.0.0.16 10.11.0.0 0.0.255.255

I also notice that the access list on the ASA has two permit statements for /28s where the router is permitting 10.11/16

access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.240 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.240 192.168.1.0 255.255.255.0

Please re-write the access lists on both router and ASA so that they match each other. Then test again and let us know the results.

HTH

Rick

i re-write the ACL ,

ip access-list extended NET011

permit ip host 192.168.1.3 10.11.0.0 0.0.255.255

permit ip 192.168.1.0 0.0.0.255 10.11.0.0 0.0.255.255

access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.0 192.168.1.0 255.255.255.0

May 15 13:25:09.864: ISAKMP:(1117):deleting SA reason "Recevied fatal informat

nal" state (I) QM_IDLE       (peer )

May 15 13:25:09.864: ISAKMP:(1117):deleting SA reason "Recevied fatal informat

nal" state (I) QM_IDLE       ()

Routerc#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

adbc dddd MM_NO_STATE       1118 ACTIVE (deleted)

acdc  dddd   MM_NO_STATE       1117 ACTIVE (deleted)

aaaa  aaaa  QM_IDLE           1109 ACTIVE

May 15 13:25:09.864: ISAKMP:(1117):deleting SA reason "Recevied fatal informat
nal" state (I) QM_IDLE       (peer )
May 15 13:25:09.864: ISAKMP:(1117):deleting SA reason "Recevied fatal informat
nal" state (I) QM_IDLE       ()

crypto isakmp policy 105

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 106

group 2

lifetime 28800

crypto isakmp key *  address a.b.c.d

crypto isakmp key *  address e.f.g.h

Why in crypto isakmp policy 106 there ins't encryption des .

I repaet command

Router(config)#crypto isakmp policy 106

Router(config-isakmp)#encryption des

but still ther are no statement

The reason that the encryption des statement does not show up is that this is the default value for encryption and in show run the default values usually do not show up.

Perhaps I was not sufficiently clear when I talked about the access lists on the ASA and on the router. These access lists should be mirror images of each other - they each should permit the same kinds of traffic as the other but with source and destination reversed (and of course the different kind of mask used in IOS on router or in ASA).

What you have got at this point does not match between the devices.

ip access-list extended NET011

permit ip host 192.168.1.3 10.11.0.0 0.0.255.255

permit ip 192.168.1.0 0.0.0.255 10.11.0.0 0.0.255.255

access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.0 192.168.1.0 255.255.255.0

On the router access list you are permitting a specific host on one line and permitting 192.168.1.0 to a /16 network. The ASA does not have any permit for that host and the ASA is permitting 192.168.1.0 to two networks that are /24.

I am not in a position to say whether one is correct or the other because I do not know what policy is involved in deciding what traffic should pass over the VPN. But until both devices are using the same policy to select traffic it is likely that the VPN will not work.

HTH

Rick

On router LAN address is 192.168.1.0  and host with address 192.168.1.3 should pass over VPN.

On ASA LAN address is 10.11.0.0 and  host with address 10.11.11.0 and 10.11.14.0 should pass over VPN.

I put in ACL 192.168.1.0  to activate VPN

Part of what I have been trying to explain is that the access lists on both sides must allow the same things. So first, please tell me from the router side is the access specific for only host 192.168.1.3 or is the access for the whole network/subnet 192.168.1.0. Then please tell me whether the access is to all of 10.11.0.0/16 or is specific to10.11.11.0 and 10.11.14.0

So if you tell me that all of 192.168.1.0 needs to access all of 10.11.0.0/16 then I know how to configure the access list on the router which would be permit 192.168.1.0 0.0.0.255 10.11.0.0 0.0.255.255.

And if that is permitted on the router side then the ASA must also permit that. So the ASA access list must be permit 10.11.0.0 255.255.0.0 192.168.1.0 255.255.255.0

HTH

Rick