Hi Mike,
I found a doc that may explain what to do.
https://supportforums.cisco.com/docs/DOC-9671
So in addition to the UC540 being a staic IP on the external firewall data vlan (with NAT rule from WAN to UC540), and the UC540 firewall turned off, and NAT turned off, and a VPN Server built on the UC540 with the credentials (Shared Secret and Group name) matching Cisco VPN CLient and UC540 VPN Server, I think the external FW has to let the IPSEC ports through too....
in the doc in a few scenarios I find this:
You need to ensure the following policies are applied to the firewall:
• If IPsec is used (for a multi-site data VPN and the Data LAN resides behind the UC500), make sure that the firewall allows
access to the following ports and protocols:
IP Protocol ID 50, for both inbound and outbound filters. It should be set to allow Encapsulating Security Protocol
(ESP) traffic to be forwarded.
UDP Port 500, for both inbound and outbound filters. It should be set to allow ISAKMP traffic to be forwarded.
Steve