As network engineers, many of us spend lots of time on the road. On nights not spent working on the install, a quiet hotel room can be a great place to study. In a previous post, you learned how to configure your Cisco router for dynamic DNS. This post will show you how to configure remote access vpn on a Cisco router to access your home lab remotely.




Basic Cisco VPN Client Configuration

The first part covers the basic remote access vpn configuration. All traffic from your PC will be encrypted and only traffic from the PC to the home network (10.10.10.x). The PC will not have internet access. This initial configuration also assumes the router being configured is currently a basic internet router with NAT and a firewall already configured.

  • Configure a username and AAA 
  • Configure encryption parameters
  • Configured policy based NAT to disable NAT for VPN traffic
  • Configure firewall ACL to permit encryption protocols


4peg Template





username josh password blindhog1@

aaa authentication login AAA-VPN local
aaa authorization network AAA-VPN local


ip local pool VPNALLPOOL

crypto isakmp client configuration group vpnall
  key blindhog1@

crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2

crypto ipsec transform 3des-sha esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10
  set transform-set 3des-sha

crypto map vpn 10 ipsec-isakmp dynamic dynmap
crypto map vpn client configuration address respond
crypto map vpn client authentication list AAA-VPN
crypto map vpn isakmp authorization list AAA-VPN

interface f0/1
  description *** Outside ***
  crypto map vpn


ip access-list extended ACL-POLICY-NAT
  deny ip
  permit ip any

route-map RM-POLICY-NAT permit 10
  match ip address ACL-POLICY-NAT

no ip nat inside source list 10 interface f0/1 overload
ip nat inside source route-map RM-POLICY-NAT interface f0/1 overload


ip access-list extended acl_firewall
  11 permit esp any any
  12 permit udp any any eq 4500
  13 permit udp any any eq 500



Provide Internet access through the router


Providing internet access through the VPN requires a little trick. The traffic is policy routed on the outside interface … around the loopback interface, through a NAT and back out to the internet.


If the traffic is from a VPN client ip address and destined for a LAN address, the traffic will go unaltered.


If the traffic is from a VPN client ip address and destined for an IP address not on the local area network, it is policy routed to an IP address in the same subnet as the loopback interface, through the loopback interface and to the internet. It is important that the ‘ip next-hop’ command in the route-map not be the loopback interface. It must be a different IP address on the same subnet as the loopback interface.


An entry must also be added to the policy nat access list to NAT traffic from the VPN client.





interface Loopback 0
  ip address
  ip nat inside


ip access-list extended ACL-OUTSIDE-PBR
  deny ip
  permit ip any

route-map RM-OUTSIDE-PBR permit 10
  match ip address ACL-OUTSIDE-PBR
  set ip next-hop

interface FastEthernet 0/1
  ip policy route-map RM-OUTSIDE-PBR


ip access-list extended ACL-POLICY-NAT
  permit ip any


Add another VPN group for split tunneling


On my personal internet router, I have two vpn groups. One for routing all traffic through my router and then to the internet and another for split tunneling. If you are not familiar with split tunneling … it only encrypts traffic destined for the LAN behind the VPN router. All other traffic is sent directly to the internet without encryption.  I also create two different VPN entries in my Cisco VPN client for each group so I can choose how I would like to connect easily.


I think it is best to use different subnets for each VPN group … one for the VPN group encrypting all traffic and another for split tunneling. The commands below add an entry to the policy-based NAT access-list to prevent NAT for traffic between the LAN and the VPN clients.


The ‘SPLIT-TUNNEL’ access-list defines what traffic should be encrypted. Only traffic between the VPN client ip addresses and the LAN ip addresses. The ‘ip local pool’ and client group configurations are identical to the VPN group above with the exception of the ‘acl’ command that is used to reference the ‘SPLIT-TUNNEL’ access-list.





ip access-list extended ACL-POLICY-NAT
  9 deny


ip access-list extended SPLIT-TUNNEL
  permit ip

ip local pool VPNSPLITPOOL

crypto isakmp client configuration group vpnsplit
  key blindhog1@



Having a home vpn router is cheap enough.  1711 vpn routers sell for as little $50. Go on ebay or contact a used cisco dealer. I use Douglas King (Myriad Supply) or Matt Freeman (Express Computer Systems). 

Disclaimer: I was not paid to endorse Douglas or Matt. They have just been very good to work with in the past.

Be Sociable, Share!