Assuming that ASA LAN is 192.168.2.0/24 and router LAN is 192.168.1.0/24, the following ACL should be configured:
On the router:
ip access-list extended TUNNEL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
On the ASA:
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
The rest of the other ACL lines that have been configured should be removed. Most importantly, the number of ACL line on the router should match the same on the ASA with mirror image ACL for the subnet.
You also need to remove the following on the ASA as the router is not configured to use PFS:
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn...
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 18.104.22.168Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 22.214.171.124R1(config-ikev2-keyring-pee...