I have an 871W router that's configured for dynamic maps. The way that I have these configured is the crypto map is applied to the public interface, and I have a crypto isakmp profile for a group that the vpn client connects to from the outside; this works fine.
The problem comes in because I have multiple vlans. I have one that is on the 10.20.1.0/24 subnet and I have another that's on 192.168.100.0/24 subnet. On BOTH of these subnets, I have a device that needs to vpn into remote networks. The 192.168.100.0 subnet has a TMobile Hiport (Cisco/Linksys) device, and on the 10.20.1.0 I have a host that needs to remote into the office. On the router, I see where the remote site is trying to send a isakmp delete message, but the router is dropping that traffic because it doesn't see it as a valid session.
I can remote the crypto map from interface fa4 (public address), and everything works fine. I can't use virtual templates (which fixes this problem) because I have to be able to vpn into this router from remote, but I can't do it from behind an ASA because, for some reason, my router is sending traffic back on a different random port, different session to the ASA to try to establish the connection.
How can I get the vpn clients to work behind the router with the crypto map applied?