VPN with 2811 set-up and Cisco VPN Client

Unanswered Question
Jan 22nd, 2009

I am looking for the correct IOS to install on my 2811 so I can set up vpn groups, much like you would with a PIX for remote employees running the Cisco VPN Client software.

I have done this on a Pix 525 and 506e, but the company I work for today does not have a PIX, they employ a Juniper firewall and Juniper SSL device. I am creating a backdoor in the event the firewall dies and we cannot route internally remotely to gain cli access to bring the firewall back up. What I have to work with is a 2811 so any help would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
kwillacey Thu, 01/22/2009 - 09:40

I think you need an Advanced Security or higher feature set for that.

pauloroque Thu, 01/22/2009 - 10:05


Do you just need the remote access vpn (RA VPN) feature or you realy need to be able to create vpn groups/user profiles?

For RA VPN, I think you can use any security or advanced feature set. For the exact IOS matching your needs you can use the Feature Navigator Tool (www.cisco.com/go/fn).

There search for IPSec feature and drill down on your platform, release e memory needs.


Rick Morris Thu, 01/22/2009 - 10:12

I am basically trying to set up the same type of set-up on the 2811 that I would have done on the PIX525 by creating a vpn user group, assigning an address-pool and building an acl to allow access to the needed resources.

To mirror a replication of being on the network, with the ability to map drives, etc...

I have done this in a PIX just never on the router.

pauloroque Thu, 01/22/2009 - 10:40

Yes, it can be done. Use the Feature navigator as I said to find the correct IOS. A sample config follows.



! the inside protected network

! 10.199.x.x/24 the public address

! It will use IOS local user database for authentication

! The group to be used in the Cisco VPN Client is VPNCLIENT-GRP the key is 'grevpn'

aaa new-model

aaa authentication login LOCAL-AUTH local

aaa authorization network LOCAL-AUTHOR local

aaa session-id common



username proque password 0 mypass



crypto isakmp policy 5

encr aes 256

authentication pre-share

group 2

hash md5



crypto isakmp client configuration group VPNCLIENT-GRP

key grevpn


domain youdomain.com.br





crypto ipsec transform-set ESP-AES-SHA-HMAC esp-aes esp-sha-hmac


crypto dynamic-map VPNCLIENT-DMAP 10

set transform-set ESP-AES-SHA-HMAC




crypto map VPNCLIENT-MAP client authentication list LOCAL-AUTH

crypto map VPNCLIENT-MAP isakmp authorization list LOCAL-AUTHOR

crypto map VPNCLIENT-MAP client configuration address respond

crypto map VPNCLIENT-MAP 10 ipsec-isakmp dynamic VPNCLIENT-DMAP





interface FastEthernet0/0


ip address


interface FastEthernet0/0.2


ip address

crypto map VPNCLIENT-MAP


ip local pool VPNCLIENT-POOL


ip access-list extended VPNCLIENT-SPLIT-ACL

permit ip any


This Discussion