Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem using Security Manager to deploy VPN at Remote Office

I am trying to use Security Manager v3.1 to deploy the following configuration.

Corporate Office with IOS Router - network

Remote Office with IOS Router - network

I setup the Remote Office with NAT so the users at the Remote Office can access the internet. They have a small pool of routable Internet IP addresses so I needed to setup a Dynamic Rule in the NAT settings to use Port Translation. Under Traffic Flow I created a simple Access List to permit the inside network to any.

At this point the remote office was able to access the internet just fine.

I then created a DMVPN for the Remote Office and Corporate Office, this works fine as well. When the configuration is deployed, the Traffic Flow access list mentioned above has a deny added from to so that the DMVPN traffic is not NAT'ed.

Again this work fine, people can access the internet as well as accessing resources at the Corporate Office.

The Access List for the Traffic Flow of the NAT Dynamic Rules looks like the following, this is what is deployed to the router.

deny ip

permit ip any

The next piece that doesn't work so well is when I wanted to add a Remote Access VPN to the Remote Office router. I created a User Group Policy with an IP Address Pool of

When I deploy this to the router the NAT access list does not get updated to include the network for deny. Based on what I read in the manual I needed to add this manually to the NAT's Dynamic Rules Traffic Flow access list. I added a line to the access list of deny to

Regardless of moving this up or down the resulting access list that gets generated looks like the following

deny ip

permit ip any

deny ip

Like I mentioned I have tried to change the order in the Access List of the Dynamic Rules Traffic Flow and the generated access list does not appear to honor my ordering.

Any help on this would be greatly appreciated

New Member

Re: Problem using Security Manager to deploy VPN at Remote Offic

I think it is very important to know that Security Manager allows you to import the configurations of remote access VPN policies during policy discovery. You can discover configurations on devices that are already deployed in your remote access VPN network, so that Security Manager can manage them. These configurations are imported into Security Manager as remote access VPN policies. for more information please click following URL:

CreatePlease login to create content