I used SDM to configure the VPN server, when I applied the changes the router stopped passing any traffic between trusted and untrusted networks. One thing that's missing - I had to remove the NAT overload statement referencing the route-map that SDM created to get the 831 working again. Everything else is untouched. I applied the SDM_CMAP_1 map to the Ethernet1 interface to enable VPN. Here's the syslog error message I receive when the IPSec internal client tries to connect while the crypto map is applied to Ethernet1 ... %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for (Ethernet1 external IP) ! ! Last configuration change at 19:24:48 GMT Wed Dec 28 2005 by yyy ! NVRAM config last updated at 19:25:30 GMT Wed Dec 28 2005 by yyy ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname xxx ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log logging buffered informational logging monitor warnings enable secret 5 yyy enable password 7 yyy ! username xxx password 7 yyy username xxx privilege 15 secret 5 yyy username xxx privilege 0 password 7 yyy clock timezone GMT 0 aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa session-id common ip subnet-zero no ip source-route ! ! ip dhcp excluded-address xxx.yyy.xxx.1 xxx.yyy.xxx.50 ip dhcp excluded-address xxx.yyy.xxx.151 xxx.yyy.xxx.254 ! ip dhcp pool CLIENT network xxx.yyy.xxx.0 255.255.255.0 domain-name mydomain netbios-node-type h-node default-router xxx.yyy.xxx.2 netbios-name-server xxx.yyy.xxx.1 dns-server 205.152.244.252 24.93.40.73 xxx.yyy.xxx.1 lease 2 ! ! ip tcp synwait-time 10 ip domain name mydomain ip name-server xxx.yyy.xxx.1 ip name-server 205.152.244.252 ip name-server 205.152.144.252 ip name-server 205.152.0.20 no ip bootp server ip cef ip inspect audit-trail ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw http timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 ip inspect name myfw sqlnet timeout 3600 ip inspect name myfw netshow timeout 3600 ip inspect name myfw rtsp timeout 3600 ip inspect name myfw vdolive timeout 3600 ip inspect name myfw udp ip inspect name myfw streamworks ip inspect name myfw skinny ip inspect name myfw sip ip inspect name myfw icmp ip inspect name myfw fragment maximum 256 timeout 1 ip ips sdf location flash:attack-drop.sdf ip ips notify SDEE ip ips po max-events 100 ip ips name myips ! no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp xauth timeout 15 ! crypto isakmp client configuration group zzz key 6 vvv dns xxx.yyy.xxx.1 wins xxx.yyy.xxx.1 domain mydomain pool CLIENT ! ! crypto ipsec transform-set set1 esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set set1 match address 100 reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface Ethernet0 description $FW_INSIDE$ ip address xxx.yyy.xxx.2 255.255.255.0 ip access-group 1 in ip nat inside ip virtual-reassembly hold-queue 100 out ! interface Ethernet1 description $FW_OUTSIDE$ ip address dhcp ip access-group 111 in no ip proxy-arp ip nat outside ip inspect myfw in ip inspect myfw out ip ips myips in ip ips myips out ip virtual-reassembly duplex auto no cdp enable ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! ! ip classless ! ip http server ip http access-class 1 no ip http secure-server ip nat inside source list 1 interface Ethernet1 overload ip nat inside source static tcp xxx.yyy.xxx.5 80 interface Ethernet1 80 ip nat inside source static tcp xxx.yyy.xxx.5 21 interface Ethernet1 21 ! ! logging facility local6 logging source-interface Ethernet0 logging xxx.yyy.xxx.10 access-list 1 remark SDM_ACL Category=17 access-list 1 permit xxx.yyy.xxx.0 0.0.0.255 access-list 1 deny any log access-list 51 permit xxx.yyy.xxx.10 access-list 51 deny any log access-list 100 deny ip xxx.yyy.xxx.0 0.0.0.255 any access-list 100 permit ip any any access-list 111 deny ip any any log fragments access-list 111 deny ip xxx.yyy.xxx.0 0.0.0.255 any log access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable access-list 111 permit esp any any log access-list 111 permit ahp any any log access-list 111 permit udp any any eq isakmp log access-list 111 permit udp any any eq bootpc log access-list 111 permit tcp any any eq 1723 log access-list 111 permit tcp any any eq www log access-list 111 permit tcp any any eq ftp log access-list 111 permit tcp any any eq 22 log access-list 111 permit gre any any log access-list 111 deny ip any any log snmp-server community bbb RO 51 snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server enable traps rtr snmp-server host xxx.yyy.xxx.10 private snmp-server host xxx.yyy.xxx.10 public route-map SDM_RMAP_1 permit 1 match ip address 100 ! ! control-plane ! banner motd  mydomain You have entered a secured system. Authorized access only!  ! line con 0 password 7 xxx no modem enable transport preferred all transport output all line aux 0 transport preferred all transport output all line vty 0 4 exec-timeout 120 0 password 7 xxx length 0 transport preferred all transport input all transport output all ! scheduler max-task-time 5000 sntp logging sntp server xxx.yyy.xxx.1 end