Исходя из поискового запроса решил так же показать настройку простого маршрутизатора Cisco серии 2800 и межсетевого экрана Cisco ASA серии 55хх.

Конфигурация адресов:
1.1.1.1 — Внешний адрес CISCO ASA 5520
2.2.2.2 — Внешний адрес CISCO 2800
3.3.3.3 — Какойто роутер провайдера, который идет по дефолту
172.16.1.0/24 — Внутренняя сеть за CISCO 2800
192.168.1.0/24 — Внутренняя сеть за CISCO ASA 5520
10.0.0.0/8 — Внутренняя сеть за CISCO ASA 5520 и каким-то еще маршрутизатором, о котором знает ASA.

Конфиг CISCO 2800 IOS 12.4

!
!...
!Часть вывода опущена
!...
!
no aaa new-model
ip source-route
ip cef
!
ip dhcp pool PCPOOL
network 172.16.1.0 255.255.255.0
domain-name sample.com
default-router 172.16.1.1
dns-server 8.8.8.8 8.8.4.4
!
ip domain name example.com
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
archive
log config
hidekeys
!
crypto isakmp policy 100
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key MY_VPN_GROUP_PASSWORD address 1.1.1.1
!
!
crypto ipsec transform-set PEERS esp-aes esp-md5-hmac
!
crypto map MYMAP 172 ipsec-isakmp
set peer 1.1.1.1
set security-association idle-time 600
set transform-set PEERS
set pfs group1
match address MYACL
!
ip ssh version 2
!
interface GigabitEthernet0/0
ip address 2.2.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
!
interface GigabitEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 3.3.3.3
ip route 10.0.0.0 255.0.0.0 1.1.1.1
ip route 192.168.1.0 255.255.255.0 1.1.1.1
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NATVPN interface GigabitEthernet0/0 overload
!
ip access-list extended MYACL
! Используется обратная маска
permit ip 172.16.1.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 172.16.172.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip any any
ip access-list extended NATACL
permit ip 172.16.1.0 0.0.0.255 any
deny ip any any
ip access-list extended NATVPN
deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 172.16.1.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 172.16.1.0 0.0.0.255 any
deny ip any any
ip access-list extended OUTSIDE
permit ahp any any
permit esp any any
permit udp any eq isakmp any eq isakmp
permit tcp any any eq 22
permit tcp any any established
permit icmp any any echo-reply
permit icmp any any time-exceeded
deny ip any any
!
control-plane
!
!...
! Остаток опущен
!...
!
scheduler allocate 20000 1000
end

Конфиг CISCO ASA 5520 7.2(3)

!
!...
!Часть вывода опущена
!...
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
!...
!Часть вывода опущена
!...
!
access-list out_access_in extended permit icmp any any
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 101 extended permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.0
!
access-list MYACL extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list MYACL extended permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
!
pager lines 24
mtu inside 1500
mtu dub 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
!
global (dub) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group out_access_in in interface outside
route inside 10.0.0.0 255.255.0.0 192.168.2.1 1
route outside 172.16.1.0 255.255.255.0 2.2.2.2 1
!
!
aaa authentication ssh console LOCAL
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set PEERS esp-aes esp-md5-hmac
crypto ipsec df-bit clear-df outside
!
crypto map mymap 172 match address MYALC
crypto map mymap 172 set pfs group1
crypto map mymap 172 set peer 2.2.2.2
crypto map mymap 172 set transform-set PEERS
crypto map mymap 172 set security-association lifetime seconds 3600
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 100
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key MY_VPN_GROUP_PASSWORD
prompt hostname context
: end

PS: Конфигурация взята с рабочих устройств с небольшими пропусками вывода (не влиает на скорость :)) и обезличиванием адресного пространства. Если что, пишите будем смотреть где промахнулся.