Problem VPN l2l * No. Tx and Rx *.

Similar Questions

• Using VPN L2L static and dynamic dedicated tunnels

  We have an ASA 5510 running 8.0 at our company headquarters. We have remote sites who need to create VPN L2L at the HQ ASA tunnels. Some remote sites have static IP addresses and others have dynamic IP addresses.

  I found documentation Cisco L2L static IP VPN tunnels and make them work. I found another Cisco documentation for static IP dynamic L2L VPN tunnels using the tunnel-group "DefaultL2LGroup".

  My question is, can you have two types of tunnels on the same ASA L2L? If so, simply by using the definitions of "DefaultL2LGroup" tunnel-group and of tunnel-group work? Is there a reason to not do? Is better technology (ASA HQ and a combination of ASA 5505 and 1861 at remote sites) available?

  Yes, you can have both types of tunnels L2L. If you use a PSK - remember that the IP address of the remote site is used to 'validate' to connect to Headquarters. As long as you use a sure PSK = 64 characters and all with upper/lower case alpha numeric - you should be OK.

  A better way to do it - is to get the static IP addresses for the site that currently have DHCP from ISP.

  HTH >

• IOS VPN L2L, placement and discuss best practices

  We install an IOS router VPN on a for L2L 2651XM VPN bundle.

  I am trying to determine the best placement for the VPN router.

  We have Internet BR, then switch outside, Pix, then inside the switch.

  We have installed a card 4 ports in the Pix 515e to provide the DMZ interface, but have not yet configured all interfaces.

  L2L is B2B and we need so our traffic/internal network firewall/NAT.

  I have a switch for the DMZ if necessary for additional PSS.

  I recommend you to place the VPN router outside of the interface on the outside of the firewall. Ending inside the unencrypted VPN interface on port DMZ on the PIX, in this way, you can use the pix to control which internal servers users VPN can connect to.

  This way you can your traffic inside nat, but your VPN traffic to not cross a line of nat. Your VPN users also allow the pix to access your internet connection

  On the VPN router lock the outside as much as possible interface, if the IOS supports the functionality defined firewall and then use it.

• Problem with VPN compatibility between 2811 and 2911

  Hello

  I would ask anyone had problems with the implementation of a VPN tunnel between 2811 and 2911?

  The IPSec VPN is established, but for some reason, I cannot ping the side LAN across LAN to the other end of the VPN router?

  All experience would be highly appreciated

  Thank you

  IPSec VPN can be smoothly between routers cisco (and not nesesserely cisco) set up, so there should be no problem in your case.

  If you say that this tunnel is established successfully, then the problem most likely related to routing problems between sites or incorrect configured crypto-acl. Check if the hosts located on both sites have correct routing information on how to get to subnets on the other site.

  Make more accurate assumptions, it would be helpful that you provide config on both sites and describe your topology.

• Question of redundancy VPN l2l using 2811 as endpoint devices

  I have a new implementation of VPN L2L passes using two 2811 s than VPN terminal devices. I'll try to use the HSRP address between the public interfaces of both routers as VPN peer address. The problem that I found during the test is that the tunnel will become active and debugs watch the HSRP address as an invalid address to form the tunnel. Have a work-around, or a better plan for redundancy on peering address using similar devices? Thanks in advance.

  Take a look at this doc about IOS IPSec HA.

  http://www.Cisco.com/en/us/docs/iOS/security/configuration/guide/sec_vpn_ha_enhance_ps6922_TSD_Products_Configuration_Guide_Chapter.html#wp1039849

• Go simple configuration of vpn L2L comply with security requirements

  Hello

  I have successfully install a L2L connection (5510, 7.2) and a 3rd party (SonicWall).

  Security requirements are such that (contractors) to our office users to connect to various devices to the 3rd party, BUT nothing to the 3rd party must connect to what be it at our office.

  I tried an outbound ACL (access-group L2L-RESTRICT the interface inside) inside the interface. But the funny thing is that I'm getting hits on the declarations of refusal on the ACL, although tests show no problems for you connect to multiple hosts to our site of the 3rd party. My ACL config looks like the following:

  <..snip..>

  Note to L2L-RESTRICT access-list * ATTENTION * WITH CAUTION - RESTRICTIONS ON the 3rd PARTY VPN L2L

  L2L-RESTRICT access-list scope allow icmp 192.168.16.0 255.255.255.0 10.180.21.0 255.255.255.0 echo-reply

  deny access list L2L-RESTRICT the scope ip 192.168.16.0 255.255.255.0 no matter what newspaper

  Note to L2L-RESTRICT access-list > NOTE< last="" line="" *must*="" be="" permit="" any="">

  L2L-RESTRICT access-list scope ip allow a whole

  !

  L2L-RESTRICT the interface inside access-group

  <..snip..>

  Their network is obviously 192.168.16.x and they won't be able to use a vlan from different source as "interesting traffic" ACL won't allow it. So that sounds good in theory

  I have it configured correctly? Is there a better way?

  Thanks in advance,

  Mike

  Mike,

  It seems that you might be able to assign a VPN ACL filter via a group assigned to each tunnel L2L policy. I have never done this personally before, but looks like it would work...

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#configs

• ASA5510 VPN L2L cannot reach hosts on the other side

  Hello experts,

  I have an ASA5510 with 3 VPN L2L and remote VPN access. Two VPN L2L, Marielle and Aeromique no problem, but for VPN ASPCANADA, to a host behind the ASA 192.168.100.xx, I can't reach 57.5.64.250 or 251 and vice versa. But the tunnel is up. Can you help me please, thank you in advance.

  Add these two lines to the NAT 0 access list:

  inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.251

  inside_outbound_nat0_acl list extended access allowed hosting ASP-NETWORK 255.255.255.0 ip 57.5.64.250

  Also make sure this reflection of these statements are also in the distance of the ASA NAT 0-list of access.

  Test and validate results

  HTH

  Sangaré

  Pls rate helpful messages

• Packet-trace for vpn l2l

  If anyone can help with control of packet - trace to migrate to l2l ipsec vpn

  on ASA (one)

  ciscoasa # packet - trace entry outside tcp 10.10.1.2 12345 192.168.1.2 80

  ASA (one)

  Ip address inside - 192.168.1.2

  Destination port 80

  ASA (b)

  Inside - 10.10.1.2 ip address

  Port source 12345

  Hello

  So if your host 'inside' is 192.168.1.2 and the 'outside' host is 10.10.1.2 then you could just what follows

  Packet-trace entry inside tcp 192.168.1.2 12345 10.10.1.2 80

  If the goal is just to test the VPN negotiation then the ports are not really important, but naturally tested traffic with "packet - tracer" must be authorized by your interface "inside" ACL.  The essential is that the source address and destination match the VPN L2L (Crypto ACL) configurations

  Generally you would use NAT0 for these networks the and remote so NAT should not be a problem to test from that direction. I suppose there might be rare situations where using the command in this sense is not possible

  -Jouni

• ASA5505 PROBLEM VPN

  1

  Hello

  Seems to me that configurations are for the most part very well. But of course, they may be different from those who has the remote site. We do not know what are the settings on the other site of this connection VPN L2L.

  NAT0 has configuration of a line that is not necessary (line below)

  permit access list extended ip lan - imp 255.255.255.0 inside_nat0_outbound 1.1.1.0 255.255.255.0

  You can use the "package Tracker" on the side of the CLI to check what happens to first traffic

  entry Packet-trace inside tcp 1.1.1.100 12345 192.168.1.100 80

  I guess the address LAN IP is changed for some reason any so replace the IP addresses above with random IP of the LAN and LAN REMOTE if necessary addresses.

  Issue the command above twice. If the second output always stops in VPN Phase DROP then there are a few problems on each side of the connection VPN L2L in configurations.

  You can check the output of the following command after issuing the command "packet - trace" above also to check what is happening in phase 1 of the VPN L2L negotiations

  ISAKMP crypto to show his

  If that runs through then I would start looking for a problem with related configurations "crypto map" configurations.

  -Jouni

• Direct specific ports down a VPN L2L

  I have a client who is trying to use an ISP hosted web filtering and content management a gateway, the ISP wants to use and L2L ISPEC VPN on site at their front door to control the traffic. Today we have the tunnel with an ACL test for peripheral test side customer down the tunnel, but that it blocks all traffic that is not being analyzed. The problem is that they are on an ASA 5510 with 8.2.2. You cannot add ports tcp in the ACL sheep, it error when you try to apply the nat 0 access-list statement sheep (inside). We can define the ports to go down the VPN traffic interesting ACL with number, but there is no way to send just the web ports down the VPN and allow the other ports on regular overflow interface NAT I was look in 8.4 and see if it allows a policy NAT (twice the NAT for virtual private networks) to set a port to a range of IPS (IE (: nat static destination WEBINSPECT-WEBINSPECT (indoor, outdoor) static source a whole) but who only define as web ports.

  I do not have an ASA test to use, but I guess that vpn l2l will be only by IP and I can not define a port tunnel.

  In any case, it is a strange, but the ideas are welcome. I don't think it's possible, but I thought I'd see if anyone encountered at the front.

  Hello

  Well to give you a simple example where we use the double NAT / manual transmission NAT to handle traffic

  For example a configuration example I just did on my 8.4 (5) ASA

  The following configuration will

  • Set the 'object' that contains the source network for NAT
  • Set the 'object' that contains the service for NAT
  • Define the real NAT

  The real NAT is going to make any connection from the network under 'Wireless' network object to the destination port TCP/80 will be sent 'WAN' interface without NAT

  Of course it is the next step with VPN L2L network under 'network wireless of the object' would correspond to the ACL of VPN L2L. But that seemed straight forward for you already

  the subject wireless network

  10.0.255.0 subnet 255.255.255.0

  service object WWW

  Service tcp destination eq www

  NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service

  The following configuration will

  • Define the "object-group", that defines networks of the source of the rule by default PAT for Internet traffic
  • Set the 'object' for the PAT address (could just use 'interface' instead of the 'object')
  • Define the real NAT

  The NAT configuration will just make a rule by default PAT for the wireless network. The key thing to note here is that we use the setting "auto after." This basically inserts the NAT rule to the priority of the very bottom of the ASA.

  object-group, network WIRELESS-network

  object-network 10.0.255.0 255.255.255.0

  network of the PAT object - 1.1.1.1

  host 1.1.1.1

  NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1

  Now we can use the command "packet - trace" to confirm that the NAT works as expected.

  WWW TEST-TRAFFIC

  ASA (config) # packet - trace 12355 1.2.3.4 entry WLAN tcp 10.0.255.100 80

  Phase: 1

  Type: UN - NAT

  Subtype: static

  Result: ALLOW

  Config:

  NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service

  Additional information:

  NAT divert on the output WAN interface

  Untranslate 1.2.3.4/80 to 1.2.3.4/80

  Phase: 2

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Phase: 3

  Type: NAT

  Subtype:

  Result: ALLOW

  Config:

  NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service

  Additional information:

  Definition of static 10.0.255.100/12355 to 10.0.255.100/12355

  Phase: 4

  Type: HOST-LIMIT

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Phase: 5

  Type: NAT

  Subtype: rpf check

  Result: ALLOW

  Config:

  NAT (WLAN, WAN) static source without WIRE WIRELESS WWW WWW service

  Additional information:

  Phase: 6

  Type: USER-STATISTICS

  Subtype: user-statistics

  Result: ALLOW

  Config:

  Additional information:

  Phase: 7

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Phase: 8

  Type: USER-STATISTICS

  Subtype: user-statistics

  Result: ALLOW

  Config:

  Additional information:

  Phase: 9

  Type: CREATING STREAMS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  New workflow created with the 1727146 id, package sent to the next module

  Result:

  input interface: WLAN

  entry status: to the top

  entry-line-status: to the top

  the output interface: WAN

  the status of the output: to the top

  output-line-status: to the top

  Action: allow

  TEST FTP - TRAFFIC

  ASA (config) # packet - trace entry tcp 10.0.255.100 WLAN 12355 1.2.3.4 21

  Phase: 1

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  in 0.0.0.0 0.0.0.0 WAN

  Phase: 2

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Phase: 3

  Type: INSPECT

  Subtype: inspect-ftp

  Result: ALLOW

  Config:

  class-map inspection_default

  match default-inspection-traffic

  Policy-map global_policy

  class inspection_default

  inspect the ftp

  global service-policy global_policy

  Additional information:

  Phase: 4

  Type: NAT

  Subtype:

  Result: ALLOW

  Config:

  NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1

  Additional information:

  Definition of dynamic 10.0.255.100/12355 to 1.1.1.1/12355

  Phase: 5

  Type: HOST-LIMIT

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Phase: 6

  Type: NAT

  Subtype: rpf check

  Result: ALLOW

  Config:

  NAT (WLAN, WAN) after the automatic termination of wireless - NETWORK PAT dynamic source - 1.1.1.1

  Additional information:

  Phase: 7

  Type: USER-STATISTICS

  Subtype: user-statistics

  Result: ALLOW

  Config:

  Additional information:

  Phase: 8

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  Phase: 9

  Type: USER-STATISTICS

  Subtype: user-statistics

  Result: ALLOW

  Config:

  Additional information:

  Phase: 10

  Type: CREATING STREAMS

  Subtype:

  Result: ALLOW

  Config:

  Additional information:

  New workflow created with the 1727154 id, package sent to the next module

  Result:

  input interface: WLAN

  entry status: to the top

  entry-line-status: to the top

  the output interface: WAN

  the status of the output: to the top

  output-line-status: to the top

  Action: allow

  As you can see traffic TCP/80 corresponds to rule on the other. And the FTP used for example corresponds to rule by default PAT as expected.

  If you want to know a little more about the new NAT 8.3 format + you can check a document I created

  https://supportforums.Cisco.com/docs/doc-31116

  Hope this helps you, please mark it as answered in the affirmative or rate of answer.

  Naturally ask more if necessary

  -Jouni

• A subnet to VPN L2L stop periodically

  I have two running software version 8.2 2 of Cisco ASA 5520 implemented in an HA pair. The L2L vpn is set up and works as expected between this site and the other. The question that every few months, a VPN subnet, the same as all the time, is the transmission/reception of traffic stops. The device at the remote location is not a Cisco device, but I am certain that the problem lies in the SAA as when I switch to the slave device that the VPN is working again, without back rest however with the subnet not still not transiting traffic. I need to reboot the device until it starts to forward traffic on the subnet again.

  Has anyone ever heard talk about this before? Any help will be much appreciated.

  Thank you

  Chris

  This could be related to CSCtb53186 or CSCtd36473 , which caused some IPSec security associations stop encrypting the traffic.  The problem has not been seen since 8.2.2.9 and later then you can know an upgrade to a more current version.

  Todd

• VPN L2L dynamic to static w/o DefaultL2LGroup

  I was looking for a method to have a VPN L2L static dyn without using DefaultL2LGroup but to set in place several groups of tunnel for each router with a dynamic IP address. Many people say it is not possible, but I found this guide: http://inetpro.org/wiki/LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses

  Now the problem: the vpn rises, but I can't reach any device with a ping.

  Side static: ASA 5505 - 8.22

  Side Dynamics: Zyxel P-661HW-D3

  Here is the config for the SAA:

  access-list outside extended permit icmp any any
  
      access-list outside extended deny ip any any
  
      access-list inside extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
  
      access-list inside extended deny ip any any
  
      access-list VPN extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
  
      access-list ST_3710 extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
  nat (inside) 0 access-list VPN
  
      nat (inside) 1 10.1.0.0 255.255.248.0
  access-group inside in interface inside
  
      access-group outside in interface outside
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  
      crypto ipsec security-association lifetime seconds 28800
  
      crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map DN3710 1 match address ST_3710
  
      crypto dynamic-map DN3710 1 set transform-set myset
  crypto map dyn-map 2 ipsec-isakmp dynamic DN3710
  
      crypto map dyn-map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  
      authentication pre-share
  
      encryption 3des
  
      hash md5
  
      group 2
  
      lifetime 86400
  crypto isakmp policy 20
  
      authentication pre-share
  
      encryption des
  
      hash md5
  
      group 2
  
      lifetime 86400
  
      no crypto isakmp nat-traversal
  group-policy GP3710 internal
  
      group-policy GP3710 attributes
  
      vpn-filter value ST_3710
  
      vpn-tunnel-protocol IPSec
  tunnel-group TG3710 type ipsec-l2l
  
      tunnel-group TG3710 general-attributes
  
      default-group-policy GP3710
  
      tunnel-group TG3710 ipsec-attributes
  
      pre-shared-key *********
  

  As you can see it the vpn is in place:

  2   IKE Peer: ***.***.***.***
  
          Type    : L2L             Role    : responder
  
          Rekey   : no              State   : AM_ACTIVE
  

  Thanks in advance if anyone can help me with this problem.

  Kind regards

  Luca

  Hello Luca,

  You have reason for it, you can have the spokes of landing on a separate tunnel-groups, not only for the DefaultL2LGroup, the ASA follows this sequence when making a tunnel-group looup for L2L tunnels with pre-shared keys:

  - ike-id verified first and could be (full fqdn) host name or IP address

  -If ike-id search fails ASA tent peer IP address

  -DefaultRAGroup/DefaultL2LGroup is used as a last resort

  The output of your "sh cry isa his" I can see that at least Phase 1 is in place for your tunnel, please make sure that it landed on the correct tunnel-group.

  The problem I see clearly here is the VPN filter that you have applied Group Policy, keep in mind that we must apply filters on incoming management vpn.

  When a vpn-filter is applied to a political group that governs a LAN to LAN VPN connection, the ACL must be configured with the
  remote network in the position of the ACL src_ip and LAN in the position of dest_ip of the ACL.  Be careful during the construction of the
  ACL for use with the vpn-filter feature.  The ACL are built with traffic after decrypted in mind, however, they are also applied to the traffic
  in the direction opposite.

  In your case, the remote network is 10.51.10.0 255.255.255.0 and the local network 10.1.0.0 255.255.248.0. so let's say you want to allow just telnet:

  The following ACE will allow remote Telnet network for LAN:

  permit access-list vpnfilt-l2l 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23

  The following ACE will allow LAN to Telnet to the remote network:
  permit access-list vpnfilt-l2l 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0

  Note: The ACE access-list vpnfilt-l2l allowed 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23 will allow the local network establish a connection to the remote on any TCP port network if he uses a port source from 23.

  The access-list vpnfilt-l2l allowed 10.0.0.0 ACE 255.255.255.0 eq 23 10.1.0.0 255.255.248.0 will allow the network to remote connect to the LAN on any TCP port if he uses a port source from 23.

  Kind regards

• ASA IPP on VPN L2L w/NAT

  I have a tunnel VPN L2L on a Cisco ASA 5520 I am trying to get IPPS, to work on. On my ACL cryptomap I defined a local group object and a remote object-group, and I'm the one-to-one NAT scene on the local group. I also have a configured route map that will take the static routes and redistribute in my ACE. EIGRP two things - 1, I noticed, I don't see on my ASA static routes that point to remote subnets and 2, the ACL that I used in my definition of route map is not getting any hits on it.

  Any thoughts on where I can go wrong?

  Thank you

  Darren

  You have configured the following:

  crypto set reverse-road map

  If you do, can you remove and Add again and see if that fixes the problem?

• Windows 7 - VPN Error 711, 609 and error in the article «Phone and Modem»

  Hello

  I have the problem with my VPN from last auto Win update MAJOR - 16/10/2014

  My VPN worked fine until this update. Since then, I have a lot of different errors when I try to connect to this VPN again (from another PC with the same credentials is fine).

  When I now try to connecto to VPN I have Error 711 first and later of 609. I tried a lot of repairs, and none worked.

  VPN settings:
  http://i.imgur.com/cmADOeZ.PNG
  http://i.imgur.com/BaQiFtf.PNG
  http://i.imgur.com/kDL2xz1.PNG

  Services:

  • Plug-and-play - Works Fine - Set as automatic and the Service started successfully
  • Remote procedure call - Works Fine - set as automatic and Service started successfully
  • DCOM Server process Launcher - Works Fine - AutoPlay and the Service started successfully
  • Fax - Fax on the local computer and stop service. Some services stop automatically if they are not in use by other services or programs.
  • Remote access auto connection manager - Windows could not start the remote access auto connection service manager on the local computer. Error 0 x 80000048: 0 x 80000048
  • Remote access connection manager - automatic game and the Service started successfully
  • ICS - Internet connection sharing service on the local computer on the road and stop. Some services stop automatically if they are not in use by other services or programs.
  • Routing and remote access - auto play and the Service started successfully
  • Telephony - Works Fine - set as automatic and Service started successfully

  When I try to open "Phone and Modem" in the control panel:
  http://i.imgur.com/DIPZCRe.PNG
  "Phone and modem control panel can not be opened. You can have a problem starting telephony service.

  I tried:
  (1) Win Recovery - did not work

  (2) cmd sfc/scannow - did not work

  (3) uninstall and reinstall manualy miniports did not work
  Netcfg u MS_L2TP
  Netcfg u MS_PPTP
  Netcfg-l %windir%\inf\netrast.inf c - p-i MS_PPTP
  Netcfg-l %windir%\inf\netrast.inf c - p-i MS_L2TP
  http://i.imgur.com/VYHqQwn.PNG

  (4) Windows Network Diagnostics - Troubleshooting couldn't identify the problem - did not work

  (5) order the firewall and Antivirus protection - failed

  Can anyone please help me and fast? This was done by Win update and it made me a lot of trouble. I really need functional VPN to my client and I can't do it right now.

  THX and best regards,
  Matej Skarka

  -last edited on 20/10

  Hello

  I will recommend you to post this thread in Windows 7 IT Pro TechNet forums networking. This is the best forum for network problems.

  Please follow the link below to post this thread.

  https://social.technet.Microsoft.com/forums/Windows/en-us/home?Forum=w7itpronetworking

  Thank you.

• Add the existing network of VPN l2l

  I have properly configured VPN l2l between our main site and 2 offices. Now, I would like to allow additional networks on the main site to access the branch sites. Here the doc of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fad90.shtml) presents a method to do this by adding an additional interface. Is it possible to do without the addition of an interface?

  Here are the relevant config on the main site ASA (8,0) and one of the remote PIX (7.0):

  =========================

  ASA (main site)

  access extensive list ip 172.16.0.0 outside_1_cryptomap allow 255.255.255.0 172.16.29.0 255.255.255.0

  access extensive list ip 172.16.1.0 outside_1_cryptomap allow 255.255.255.0 172.16.29.0 255.255.255.0

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set 24.97.x.x counterpart

  map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

  =========================

  PIX (remote site)

  access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.0.0 255.255.255.0

  access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.1.0 255.255.255.0

  card crypto outside_map 20 match address outside_cryptomap_20_2

  card crypto outside_map 20 peers set 204.14.x.x

  outside_map card crypto 20 the transform-set ESP-3DES-MD5 value

  Just add valuable traffic to your access lists. New = 172.16.2.0/24 network

  ASA (main site)

  outside_1_cryptomap to access extended list ip 172.16.2.0 allow 255.255.255.0 172.16.29.0 255.255.255.0

  PIX (remote site)

  access extensive list ip 172.16.29.0 outside_cryptomap_20_2 allow 255.255.255.0 172.16.2.0 255.255.255.0

  Don't forget your nat exemption acl as well. For example...

  ASA (main site)

  extended access-list allow ip 172.16.2.0 255.255.255.0 172.16.29.0 255.255.255.0

  PIX (remote site)

  permit extended access list ip 172.16.29.0 255.255.255.0 172.16.2.0 255.255.255.0