Connect to Cisco 851 with Cisco VPN Client

A few years ago I had several requests for secure remote access using the Cisco VPN client and the Cisco 800 series routers. The following code is what I've been using ever since. It can be used on a number of Cisco routers, from the 2600 to the more recent 1800 series. Below is an abbreviated config from a Cisco 851 router in use on a home office network. The basic settings I configured through the SDM gui then completed the rest from the command line. My comments are marked by an arrow -->

851w#sh run
Building configuration...

Current configuration : 6999 bytes
!
version 12.4
no service pad
!
hostname 851w
!
enable secret 5 $1$xNG.$PzxUQYsWHQuhgLFVgKJjG.
!
aaa new-model
!
aaa authentication login remoteusers local
aaa authorization network remotegroup local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -10
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.18.1 192.168.18.9
ip dhcp excluded-address 192.168.18.101 192.168.18.254
!
ip dhcp pool sdm-pool1 --> Remove if you already have a DHCP server on your network
   import all
   network 192.168.18.0 255.255.255.0
   dns-server 216.136.57.90 168.215.210.50
   default-router 192.168.18.1
!
ip cef
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 216.136.57.90 --> Change to internal DNS server if your running one
ip name-server 168.215.210.50 --> Change to internal DNS server if your running one
ip ssh time-out 60
ip ssh authentication-retries 2
!
username admin privilege 15 secret 5 $1$R9E.$4wiw3l2oUU7HPQ9uMEonF1
--> create accounts for your vpn users here
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local dynpool --> Create your VPN client DHCP pool first
!
crypto isakmp client configuration group remotegroup --> this is the group name for the client
 key yourkeyhere --> this will be your group password for the client
 dns 4.2.2.3 --> use your internal network DNS server if you have one
 domain yourdomain.com --> Enter internal domain
 pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set transform-1
 reverse-route
!
!
crypto map dynmap client authentication list remoteusers
crypto map dynmap isakmp authorization list remotegroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description ** Outside Interface **
 ip address dhcp hostname 851w --> If your connection is static then thats your VPN client host entry
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map dynmap --> Please be sure to include this line
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers tkip
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid CiscoAP
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 14141B180F0B7B7977
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 no dot11 extension aironet
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no snmp trap link-status
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$
 ip address 192.168.18.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip local pool dynpool 192.168.25.1 192.168.25.5 --> DHCP pool for VPN clients
ip classless
ip route 0.0.0.0 0.0.0.0 66.193.144.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
logging trap debugging
access-list 1 permit 192.168.18.0 0.0.0.255
access-list 101 remark ** Permit Inbound IPSEC Traffic **
access-list 101 permit ip 192.168.25.0 0.0.0.255 any
access-list 101 remark ** Block Telnet **
access-list 101 deny   tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 remark ** Deny netbios from the internet **
access-list 101 deny   tcp any any eq 139 log
access-list 101 deny   udp any any eq netbios-ns log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 101 remark ** ICMP filter **
access-list 101 deny   icmp any any fragments
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any time-exceeded
access-list 101 deny   icmp any any log
access-list 101 remark ** Permit all other traffic **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 110 deny   ip 192.168.18.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 110 permit ip 192.168.18.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
 match ip address 110
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

851w#