Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 877 VPN access to devices behind the router

Dear Experts,

I have a Cisco 877-SEC-K9 router and I have setup VPN access on this device. I am able to connect to the VPN but I can't ping any of the devices behind the 877 router. THe only thing I can ping is the gateway. However, the reply source that I get is the outside IP address of the device. What should I be looking at to help isolate the cause? I also can't access the internet of the 877 router after I have connected to the VPN.

Thanks in advance.

This is the VPN configuration that I have on my device:

aaa new-model

aaa authentication login userauthen group local
aaa authorization network groupauthor local
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group VPNREMOTE
key xxxxx
domain sbp.local
pool ippool

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

ip local pool ippool

!--- Apply the crypto map on the outside interface.
interface dialer 0
crypto map clientmap

Everyone's tags (2)
Cisco Employee

Re: Cisco 877 VPN access to devices behind the router

The ip pool subnet needs to be in different subnet than the LAN/internal subnet if you currently have it configured in the same subnet (

And secondly, you would need to configure NAT exemption for those VPN traffic.

Hope that helps.

New Member

Re: Cisco 877 VPN access to devices behind the router

Hi Jennifer,

Thanks for the reply. So does that mean I need to create a loopback interface to act as the gateway?

So for example my current internal LAN IP address is the network and I create a separate network

and also for the nat exemption would it be a matter of creating an access list like the following and set nat to 0

access-list remotevpn permit ip

and then

nat 0 access-list remotevpn?

Thanks so much in advance.


Cisco Employee

Re: Cisco 877 VPN access to devices behind the router

No, you don't have to create loopback interface. Just create a new ip pool in different subnet than your internal network.

So from your example, if your internal network is then ip pool of is fine.

You would already have a "ip nat inside source" statement and that statement would either have route-map or access-list assigned to it, right?

On that access-list (needs to be extended ACL if you have standard ACL), it needs to have a deny statement on top of the permit statement:

access-list deny ip

access-list permit ip any

New Member

Re: Cisco 877 VPN access to devices behind the router

So this is what I have in my router but still no luck with pinging from the remote client with ip address to a device behind the 877 on

I can ping from the router the and the

ip local pool ippool
ip forward-protocol nd
ip route Dialer0 2

ip nat inside source list 1 pool overload overload
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

access-list 1 remark SDM_ACL Category=2
access-list 1 permit
access-list 1 permit
access-list 2 deny   any
access-list 102 remark Controlled Access (if VPN in place)
access-list 102 permit ip any
access-list 102 deny   ip
access-list 102 permit ip any

route-map SDM_RMAP_1 permit 1
match ip address 102

New Member

Re: Cisco 877 VPN access to devices behind the router

Hi all,

I have seen a couple of posts similar to mine all over the net and some in the forums and this is what I did to get my VPN communication behind the device.

on the outside interface add:

no ip proxy-arp


interface Virtual-Template1 type tunnel
description VPN
ip unnumbered
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1

Had this -

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

added this:

crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1

make sure you have all of this:

crypto isakmp client configuration group
pool SDM_POOL_1
crypto isakmp profile sdm-ike-profile-1
match identity group 

client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1

THe client authen and isakmp author needs to map to

aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local

Then that should be it.

CreatePlease to create content