Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

VPN strangeness


I have an 871W router that's configured for dynamic maps. The way that I have these configured is the crypto map is applied to the public interface, and I have a crypto isakmp profile for a group that the vpn client connects to from the outside; this works fine.

The problem comes in because I have multiple vlans. I have one that is on the subnet and I have another that's on subnet. On BOTH of these subnets, I have a device that needs to vpn into remote networks. The subnet has a TMobile Hiport (Cisco/Linksys) device, and on the I have a host that needs to remote into the office. On the router, I see where the remote site is trying to send a isakmp delete message, but the router is dropping that traffic because it doesn't see it as a valid session.

I can remote the crypto map from interface fa4 (public address), and everything works fine. I can't use virtual templates (which fixes this problem) because I have to be able to vpn into this router from remote, but I can't do it from behind an ASA because, for some reason, my router is sending traffic back on a different random port, different session to the ASA to try to establish the connection.

How can I get the vpn clients to work behind the router with the crypto map applied?



HTH, John *** Please rate all useful posts ***
  • VPN
Cisco Employee

Re: VPN strangeness


Your scenario is a bit confusing. If I understand correctly, you have an 871 that is an EzVPN server. On the inside of the 871 you have two VLANs, each of which has a device / computer that needs to VPN outbound. The question is: do you have any connections being initiated from the outside to these devices? Or are these devices initiators only? If they are responders, then in the case that you are using crypto maps, you have two options:

1) Create a static NAT for those IP's

2) Use virtual-templates, but based on your post, I understand those work but you have an issue that isn't too clear.

Please can you possibly draw the topology out and paste in the configuration of the router, and expand on point #2 as well.


This widget could not be displayed.