Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-site and Client-to-site

We have a 7140 in a hub office with 2651s dotted around the region all running 12.2.8T1 and setup with ISAKMP key negotiation, IPSEC 3DES and GRE tunnels (to shift the OSPF). The Interface (F0/1) that sits on the Internet has an ACL allowing only IPSEC AH, ESP and ISAKMP through.

The problem comes when we try to attach a Client VPN 3.5.1c (see config of router below). The client connect and all keys are exchanged but when it comes to moving data across the Client VPN connection no protocols work - if I remove the ACL the client works fine and can use all IP protocols that it needs to.

How can I run site-to-site VPNs and Client-to-site on the same box with the maximum security? Cisco's examples only show one or the other not both together!

Thanks, JB.

----- Config - this is a cut down version and not totally verbatim!

aaa new-model

aaa authentication login remoteuser group radius

aaa authorization network remotegroup local

aaa session-id common

enable secret 5 <blarrr>


clock timezone GMT 0

ip subnet-zero

no ip domain-lookup

no ip bootp server

ip audit notify log

ip audit po max-events 100


! policy 1 for the site VPn tunnels


crypto isakmp policy 1

encr 3des

authentication pre-share

group 5


! policy 999 for the client vpn tunnels


crypto isakmp policy 999

encr 3des

authentication pre-share

group 2


crypto isakmp key <somekey> address <remote_ip> no-xauth

crypto isakmp identity hostname


crypto isakmp client configuration group ClientVPN

key <anotherkey>



domain <>

pool remote_vpn_pool


crypto ipsec transform-set site_e ah-sha-hmac esp-3des esp-sha-hmac

mode transport

crypto ipsec transform-set client_e esp-3des esp-sha-hmac


crypto dynamic-map DynamicVPNs 1

set transform-set client_e


crypto map RemoteVPNs client authentication list remoteuser

crypto map RemoteVPNs isakmp authorization list remotegroup

crypto map RemoteVPNs client configuration address respond

crypto map RemoteVPNs 1 ipsec-isakmp

set peer <remote_ip>

set transform-set site_e

match address ACL

crypto map RemoteVPNs 999 ipsec-isakmp dynamic DynamicVPNs


controller ISA 5/1


interface Tunnel1

bandwidth 4096

ip address <tunnel_add> <tunnel_mask>

ip mtu 1440

tunnel source FastEthernet0/1

tunnel destination <remote_ip>

crypto map RemoteVPNs


interface FastEthernet0/0

ip address <internal_ip>

duplex full

speed 100


interface FastEthernet0/1

ip address <external_ip>

ip access-group 101 in

duplex full

speed 100

crypto map RemoteVPNs


router ospf 1

passive-interface FastEthernet0/1

network <stuff>


ip local pool remote_vpn_pool

ip classless

ip route <external_isp_router>

ip route FastEthernet0/1


ip access-list extended ACL

permit gre host <local_ip> host <remote_ip>


access-list 101 permit esp any any

access-list 101 permit ahp any any

access-list 101 permit udp any eq isakmp any eq isakmp

access-list 101 deny ip any any


radius-server <stuff>


Re: Site-to-site and Client-to-site

Often times complex configuration issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit and to open a case with one of our TAC engineers, visit

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

CreatePlease login to create content