Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

831/871W router question

We are trying to deploy 831s or 871s as a work from home solution using VPN. The basic setup works great as far as setting up easyvpn and having the switch ports on the router connect back to the corporate network. Is it possible, however, to set up one of the switch ports to bypass the tunnel and have unrestricted access to the internet. The basic layout would be the DSL/Cable modem would connect to the WAN port on the 831 or 871. Then, we would like to have one switch port connect to their "home" unrestricted network so that if they are using a corporate computer, they go through the corporate network, but if they are using a personal computer, it has unrestricted access to the internet. Is this scenario a possibilty? I haven't been able to find any documentation on this kind of setup. Not sure that the DMZ setup is what I am looking for. Can't find any documentation on setting up a virtual template and assigning ports to it. I know that the 831 and 871 are different architecturally and configuration wise but at this point, I'm mostly looking for a very basic answer. Any help would be greatly appreciated.

New Member

Re: 831/871W router question

Have you considered simply placing the 831/871 behind a DSL/Cable router? Typically most home users already have a DSL/Cable router. The only downside is you are NAT'ing IPSEC traffic. I would not recommend IPSEC over NAT for a large office deployment but it works great for a home user.

I had an 831 configured for easyvpn behind my linksys for a year or so with zero issues. I eventually upgraded my Linksys to an 831 acting as a simple cable firewall router. I also had zero issues with the easyvpn 831 behind the cable firewall 831 router.

This also makes it easier on the user. If their PC is plugged into their DSL/Cable router, they have unrestricted access to the Internet. If their PC is plugged into the 831, they are on the corporate network.

If you only wanted to use the 831/871, then you could configure split tunneling. All traffic destined for the Internet would not go through the crypto tunnel. Most security teams would frown upon split tunnels for obvious reasons.

New Member

Re: 831/871W router question

I was able to get the DMZ to work as my internal home network. Just had to use NAT to translate my home network to the internet.

New Member

Re: 831/871W router question

You need to create a separate VLAN on your 871


VLAN 1 - corporate network

VLAN 2 - home network

VLAN2 will have different IP and ACL will not include it into VPN traffic.

Basic IOS on 871 doesn't support many VLANs.

You need to update the IOS.

New Member

Re: 831/871W router question

Yep. We discovered that we had to upgrade the IOS to make lots of things work.