,
PC1——(G0/0)ASA-1(G0/1)——R1(ISP)——-(G0/0)ASA-2(G0/1)—PC2
Below configuration is tested in virtual LAB and it works fine.
ISP (R1)
interface FastEthernet0/0
ip address 199.1.1.1 255.255.255.252
no shut
!
interface Ethernet1/0
ip address 55.1.1.1 255.255.255.252
no shut
ASA-1
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.10.10.254 255.255.255.0
no shut
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 199.1.1.2 255.255.255.252
no shut
route outside 0.0.0.0 0.0.0.0 199.1.1.1 1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key cisco
access-list VPN-ACL extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
crypto ipsec ikev1 transform-set ABC esp-aes esp-sha-hmac
crypto dynamic-map DMAP 10 match address VPN-ACL
crypto dynamic-map DMAP 10 set ikev1 transform-set ABC
crypto map XYZ 10 ipsec-isakmp dynamic DMAP
crypto map XYZ interface outside
ASA-2
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 20.20.20.254 255.255.255.0
no shut
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 55.1.1.2 255.255.255.252
no shut
route outside 0.0.0.0 0.0.0.0 55.1.1.1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800
tunnel-group 199.1.1.2 type ipsec-l2l
tunnel-group 199.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco
access-list VPN-ACL extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
crypto ipsec ikev1 transform-set ABC esp-aes esp-sha-hmac
crypto map XYZ 10 match address VPN-ACL
crypto map XYZ 10 set peer 199.1.1.2
crypto map XYZ 10 set ikev1 transform-set ABC
crypto map XYZ interface outside