VPN on 877w router - Where to start

Unanswered Question
Apr 15th, 2007

Hi all,

I am very new in Cisco and hope you could give some advice. Our office uses Cisco 877W via ADSL2+ connection. Wireless, DHCP, firewall are working ok. We have a Windows 2003 Server as a file server. The boss wants to VPN from home to access the files. I have used SDM to try setup VPN then used VPN Client to test from home but it didn't work. My questions are:

1. I believe the 877w router supports Easy VPN server. Do I need to set the Windows 2003 Server as a VPN server?

2. Is there a step-by-step official instruction to do this? I read the manual but I don't know how to customised those instructions for our case.

3. There is a D-link at the other side (i.e. at home). Do I need to set up port-forwarding or anything like that?

Thank you,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
haroon.shaikh Mon, 04/16/2007 - 13:14

Greetings Triet,

First of all, you need to have a Static IP on your ADSL connection to create a VPN.

Second, it would be a good idea to configure VPN on Cisco router rather than on Windows Server because you need to know a hell lot of details about port forwarding which is as tricky as configuring VPN on router.

Third, look at the below link for instructions on how to configure Cisco Router as VPN server:


D-Link at your boss's home should work fine, let me know.

Also, dont forget to rate this post if you find it helpful....



trietgiang Tue, 04/17/2007 - 15:43

Thank you Haroon,

I have follow the instructions, the connection seems working fine. I can get an IP address from VPN server, I can ping the router IP addresses (both internal and external-WAN address). Other than that, I can't do anything else. Please find the statistic windows attached.

I tried the following:

- ping to a server in the office - FAIL

- ping www.cisco.com - FAIL

- ping to an external DNS - FAIL

- ipconfig /all shows that DHCP is disabled in the Cisco VPN Adapter

- the number of encrypted packets is much higher compared to the decrypted. When I continuously ping the router IP, the number of decrypted gets higher.

Could you please give some advice?

Thank you,


haroon.shaikh Tue, 04/17/2007 - 15:47

Can you post the config?

Also, please copy the config from the console window and post it. Because the config copied from the router's memory is not readable properly.

haroon.shaikh Tue, 04/17/2007 - 16:18

Enter the following commands and check it out:

config terminal

no access-list 100

access-list 100 remark Access list for NAT Traffic

access-list 100 deny ip

access-list 100 permit ip any any

no ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip nat inside source list 100 interface Dialer0 overload

This should prevent traffic between VPN clients and internal LAN from NATing.

Also, make sure the default gateway of internal LAN systems is set to (internal ip of router)

* Rate this post if it helps

trietgiang Tue, 04/17/2007 - 16:54

Thank you, Haroon.

I have made the changes but I have to go home to test it out. By the way, can I stay inside the LAN and VPN back into itself? If it is possible, I can test it out now. I use Cisco VPN Client to connect, it says "Contacting the security gateway at xx.xx.xx.xx...." then disconnects. While at home, it is ok.

You are right about the default gateway, when I did ipconfig, the default gateway and the IP address (assigned by VPN server) were the same. I don't know where I can change it. Also if the PC address is in 10.1.2.x subnet, will it accepts the default gateway of

Thank you.


haroon.shaikh Tue, 04/17/2007 - 17:00

I think you might have to go home and check it out.

But you dont have to change anything on VPN client. You have to change the default ip address of the clients behind the router (at office) to (I believe they are wireless users).

Regarding VPN clients, your ip address and default gateway will be the same after you connect to VPN server. That is correct.

trietgiang Tue, 04/17/2007 - 17:09

I will let you know as soon as I try it.

Yes, I have checked default gateway in the clients at the office, they are all

Thanks again,


trietgiang Wed, 04/18/2007 - 15:20

Hi Haroon,

The problem is still there. I can connect to the VPN Server (i.e. router) but I can not do anything else, neither surf the net nor connect to the file server. What do you think I should try please? Thank you.


haroon.shaikh Wed, 04/18/2007 - 15:47


I have attached the configuration file.

Black Text - Dont change

Red Text - Remove the config lines

Blue Text - Remove them temporarily

And try the vpn configuration again using SDM

Make sure you configure with below settings:

VPN pool: -

Local LAN:

You might also need to set your nat statements as:

ip nat inside source list 100 interface Dialer0 overload

access-list 100 remark Access list for NAT Traffic

access-list 100 deny ip

access-list 100 permit ip any any

* Please rate this post if its helpful

trietgiang Mon, 04/23/2007 - 15:08

Hi Haroon,

Sorry for the late reply, I was busy because our office installs a VoIP system.

I have made the changes for the VPN as instructed. I can now access local resources (SDM, file sharing and applications on server). However the Internet access does not work. When I ping, it only resovles from name to IP address and timeout.

When copying the config to post here, the command "copy run tftp" did not work, it times out. I think one of the ACL prevents it.

Another question: can I ping from Cisco CLI? I issued ping command to a local IP and an Internet IP, none works.

Geez, it is getting weirder :(

Thank you for your help.


trietgiang Wed, 04/25/2007 - 18:02

Hi Haroon,

Everything is working well now. I did not change anything in the router, maybe the firewall in my laptop blocks it.

Thank you for your help.



This Discussion