I have an 871W router that's configured for dynamic maps. The way that I have these configured is the crypto map is applied to the public interface, and I have a crypto isakmp profile for a group that the vpn client connects to from the outside; this works fine.
The problem comes in because I have multiple vlans. I have one that is on the 10.20.1.0/24 subnet and I have another that's on 192.168.100.0/24 subnet. On BOTH of these subnets, I have a device that needs to vpn into remote networks. The 192.168.100.0 subnet has a TMobile Hiport (Cisco/Linksys) device, and on the 10.20.1.0 I have a host that needs to remote into the office. On the router, I see where the remote site is trying to send a isakmp delete message, but the router is dropping that traffic because it doesn't see it as a valid session.
I can remote the crypto map from interface fa4 (public address), and everything works fine. I can't use virtual templates (which fixes this problem) because I have to be able to vpn into this router from remote, but I can't do it from behind an ASA because, for some reason, my router is sending traffic back on a different random port, different session to the ASA to try to establish the connection.
How can I get the vpn clients to work behind the router with the crypto map applied?
Your scenario is a bit confusing. If I understand correctly, you have an 871 that is an EzVPN server. On the inside of the 871 you have two VLANs, each of which has a device / computer that needs to VPN outbound. The question is: do you have any connections being initiated from the outside to these devices? Or are these devices initiators only? If they are responders, then in the case that you are using crypto maps, you have two options:
1) Create a static NAT for those IP's
2) Use virtual-templates, but based on your post, I understand those work but you have an issue that isn't too clear.
Please can you possibly draw the topology out and paste in the configuration of the router, and expand on point #2 as well.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...