Cisco 891 Router & VPN Setup

Unanswered Question
Oct 13th, 2010

Ive followed every wizard in the CCP program to setup a simple VPN so I can access my work ne

twork from home and nothing works. I am lost and out of ideas.

Can anyone give me a simple walkthrough on setting one up? I just want to be able to setup a connection in windows that i can "connect" to from my home cable internet using a username/password that will allow me to access the network from home as if my computer was there at the office.

Do I need special software on the remote computer? Ive seen people connect to vpns just using windows vpn connection setup, i assume via IPSEC?

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 10/14/2010 - 12:41


You can connect using the VPN client software from Cisco using IPsec.

Or you can connect using windows native VPN client (PPTP or L2TP).

Which protocol are you trying and we can send you a link.


robert prentice Thu, 10/14/2010 - 14:01

I cant get any method to work, but i dont have any software from cisco for the VPN so lets assume windows native vpn connection.

robert prentice Thu, 10/14/2010 - 17:34

I dont really see any answer at all. What i really need is to know what i need to setup on the router to allow for the connection to work.

I already know how to use windows vpn native client, i just need to get the router to accept vpn connections.

Federico Coto F... Thu, 10/14/2010 - 17:51

This is more or less how the configuration on the router goes:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

hostname fifi


username l2tp-w2k password 0 ww

!--- This is the password for the Windows 2000 client.

!--- With AAA, the username and password can be offloaded to the external

!--- AAA server.


vpdn enable

!--- Activates VPDN.


vpdn-group l2tp-w2k

!--- This is the default L2TP VPDN group.


  protocol l2tp

  !--- This allows L2TP on this VPDN group.

  virtual-template 1

  !--- Use virtual-template 1 for the virtual-interface configuration.

no l2tp tunnel authentication

!--- The L2TP tunnel is not authenticated.

!--- Tunnel authentication is not needed because the client will be

!--- authenticated using PPP CHAP/PAP. Keep in mind that the client is the

!--- only user of the tunnel, so client authentication is sufficient.


interface loopback 0

ip address


interface Ethernet1/0

ip address

ip router isis

duplex half

tag-switching ip


interface Virtual-Template1

!--- Virtual-Template interface specified in the vpdn-group configuration.

ip unnumbered Loopback0

peer default ip address pool pptp

!--- IP address for the client obtained from IP pool named pptp (defined below).

ppp authentication chap


ip local pool pptp

!--- This defines the "Internal" IP address pool (named pptp) for the client.

ip route


robert prentice Thu, 10/14/2010 - 19:40

i tried what you gave me and nothing works. Can you explain your IP schemes? They dont make

sense. My IP pools as it stands for the Vlans i have are and And for example sake my outside IP is 192.168.


Federico Coto F... Fri, 10/15/2010 - 15:16

This link explains how to configure the router to accept IPsec VPN connections from a client:

The feature is called EzVPN server and you need the IPsec client installed on the client machine.

If you use the GUI, you should be able to configure the other VPN type (L2TP), I just don't seem to find a good link on the web for it.


bobbycornetto Wed, 11/10/2010 - 14:22

The following assumes that FastEthernet 0/1 is NAT outside and 0/0 is NAT inside.

From global config mode: (just add theses lines to the ACL you already have on outside)

##Access list to permit IPSEC/ISAKMP packets.

ip access-list ex outside-interface-in

permit udp any host eq isakmp

permit udp any host eq non500-isakmp

permit ahp any host

permit esp any host


##Access list for split tunneling so that you can still access internet from your remote client while tunneled to work.

ip access-list ex SPLIT_TUNNEL

permit ip any

permit ip any


##Addresses assigned to remote access VPN clients.

ip local pool VPNPOOL

##If you already have login authentication and network authorization configured, just stick with what you have.

aaa authentication login LOCAL_AUTHEN local

aaa authorization network GROUP_AUTHOR local

username myvpnuser secret MYSECRETPASSWORD

int fa 0/1

ip access-group outside-interface-in in


crypto isakmp enable

crypto isakmp policy 10

hash sha

auth pre

group 5

lifetime 86400

encryption aes 256


crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

crypto isakmp client configuration group MYVPNGROUP


wins ##whatever they are.





crypto dynamic map MYDYNMAP 1

set transform-set MYSET



crypto map MYMAP client authentication list LOCAL_AUTHEN

crypto map MYMAP isakmp authroization list GROUP_AUTHOR

crypto map MYMAP client configuration address respond

crypto map MYMAP 10 ipsec-isakmp dynamic MYDYNMAP

interface fa0/1

crypto map MYMAP


I think that's pretty much it.

To set up the client, you need the group name (MYVPNGROUP), the outside address of your router, the key from the "crypto isakmp client" section, and your username and password. I highly recommend getting hold of the Cisco Easy VPN client, but this should work with the Windows client.


This Discussion

Related Content