Showing results for 
Search instead for 
Did you mean: 

Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

Level 1
Level 1

Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.

I've tried create configuration with and without ASA wizard, but anyway it doesn't work.

Please help me to find where is the issue.

I have two sites and would like to get access from to --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) ---

Here is my current configuration.

Thanks for your help.

IOS Configuration

version 15.2



crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key cisco address

crypto isakmp invalid-spi-recovery



crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac

mode transport



crypto map static-map 1 ipsec-isakmp

set peer S2.S2.S2.S2

set transform-set AES-SET

set pfs group2

match address 100



interface GigabitEthernet0/0

ip address S1.S1.S1.S1

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map static-map


interface GigabitEthernet0/1

ip address

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto


access-list 100 permit ip


ASA Configuration

ASA Version 8.4(3)




interface Ethernet0/0

switchport access vlan 2




interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address S2.S2.S2.S2


ftp mode passive

same-security-traffic permit intra-interface

object network inside-network


object network datacenter

host S1.S1.S1.S1

object network datacenter-network


object network NETWORK_OBJ_192.168.83.0_24


access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended deny ip any any log

access-list outside_cryptomap extended permit ip object datacenter-network

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn_pool mask

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic inside-network interface

nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup

nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup

access-group outside_access_in in interface outside

route outside DEFAULT_GATEWAY 1


crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set vpn-transform-set mode transport

crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set L2L_SET mode transport

crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set

crypto map vpn 1 match address outside_cryptomap

crypto map vpn 1 set pfs

crypto map vpn 1 set peer S1.S1.S1.S1

crypto map vpn 1 set ikev1 transform-set L2L_SET

crypto map vpn 20 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto isakmp nat-traversal 3600

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400


group-policy GroupPolicy_S1.S1.S1.S1 internal

group-policy GroupPolicy_S1.S1.S1.S1 attributes

vpn-tunnel-protocol ikev1

group-policy remote_vpn_policy internal

group-policy remote_vpn_policy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted

username admin password rqiFSVJFung3fvFZ encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool vpn_pool

default-group-policy remote_vpn_policy

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group S1.S1.S1.S1 type ipsec-l2l

tunnel-group S1.S1.S1.S1 general-attributes

default-group-policy GroupPolicy_S1.S1.S1.S1

tunnel-group S1.S1.S1.S1 ipsec-attributes

ikev1 pre-shared-key *****


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


: end

3 Replies 3

there are two things:

1) the transform-set has to be tunnel-mode, so you can remove the "transport" commands.

2) You don't show the NAT-config of the router. Do you have NAT-exemption in place for the VPN-traffic?

Please send the router-output of "show crypto session detail" after sending some traffic through the tunnel.

Thanks for helping me again. I really appreciate.

I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.

Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?

Because on Cisco ASA I guess I have everything.

Here is show crypto session detail

router(config)#do show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: GigabitEthernet0/0

Session status: DOWN

Peer: port 500 fvrf: (none) ivrf: (none)

      Desc: (none)

      Phase1_id: (none)

  IPSEC FLOW: permit ip

        Active SAs: 0, origin: crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Should I see something in crypto isakmp sa?

pp-border#sh crypto isakmp sa


dst             src             state          conn-id status


Thanks again for your help.

Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?

If you didn't configure that, the VPN-traffic is NATed with your general internet-policy and the crypto-map doesn't see VPN-the traffic any more.

Make sure to have a deny-statement at the beginning of your NAT-ACL for the traffic from to

Don't stop after you've improved your network! Improve the world by lending money to the working poor: