06-07-2009 06:47 PM
All,
I have an 871W router that's configured for dynamic maps. The way that I have these configured is the crypto map is applied to the public interface, and I have a crypto isakmp profile for a group that the vpn client connects to from the outside; this works fine.
The problem comes in because I have multiple vlans. I have one that is on the 10.20.1.0/24 subnet and I have another that's on 192.168.100.0/24 subnet. On BOTH of these subnets, I have a device that needs to vpn into remote networks. The 192.168.100.0 subnet has a TMobile Hiport (Cisco/Linksys) device, and on the 10.20.1.0 I have a host that needs to remote into the office. On the router, I see where the remote site is trying to send a isakmp delete message, but the router is dropping that traffic because it doesn't see it as a valid session.
I can remote the crypto map from interface fa4 (public address), and everything works fine. I can't use virtual templates (which fixes this problem) because I have to be able to vpn into this router from remote, but I can't do it from behind an ASA because, for some reason, my router is sending traffic back on a different random port, different session to the ASA to try to establish the connection.
How can I get the vpn clients to work behind the router with the crypto map applied?
Thanks,
John
06-12-2009 06:43 PM
John:
Your scenario is a bit confusing. If I understand correctly, you have an 871 that is an EzVPN server. On the inside of the 871 you have two VLANs, each of which has a device / computer that needs to VPN outbound. The question is: do you have any connections being initiated from the outside to these devices? Or are these devices initiators only? If they are responders, then in the case that you are using crypto maps, you have two options:
1) Create a static NAT for those IP's
2) Use virtual-templates, but based on your post, I understand those work but you have an issue that isn't too clear.
Please can you possibly draw the topology out and paste in the configuration of the router, and expand on point #2 as well.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide