What I was wanting was to be able to connect to my home Network from anywhere via VPN.

8 Static IP's w/ 5 Usable... No NAT as each device has its own IP.

Currently my NAS is in my 192.168.X.X LAN through my Wifi Router with its own STATIC IP (.176) behind a VPN for Privacy.

My hopes were to be able to access my NAS from anyplace through a VPN but my question was am I able to access the LAN NAS if its going through 2 routers?

I need it behind the Wifi Router because it has OpenVPN which I use... And my 891f is unable to use the protocols I need to connect.

Thanks for the sketch it helps.

Ok as I said, when connecting to VPN, you can access any devices doesn't matter where there're connected, it's just a matter of good routing and nat.

Based on your design:

- If you're doing split-tunnel, you will need to advertise the NAS subnet or IP

- on your Cisco router, you'll need to configure nat exemption from your vpn subnet to your nas subnet or ip

- On Cisco router, you'll need to have a route going to your Wireless router to access your NAS device.

- Add a route on your Wireless router going to your Cisco router to access VPN subnet.

Is that more clear?

That would be awesome; I tell ya, this community is the most helpful. I'm amazed.

Here is my current setup; The NAS is using a LAN of 192.168.0.189 255.255.255.0 through the Wifi Router which has the 207.108.121.176 STATIC IP.

I think really my only intent would be to be able to access that NAS and have Internet Access through the VPN.

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
ip name-server 205.171.3.65
ip name-server 205.171.2.65
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!

license udi pid C891F-K9 sn FGL212791GJ
!
username <username> privilege 15 password 0 <password>
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description TPLink Wireless
no ip address
zone-member security INSIDE
!
interface GigabitEthernet1
description Email Server
no ip address
zone-member security INSIDE
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description PPPoE xDSL WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
ip address 207.108.121.182 255.255.255.248
ip virtual-reassembly in
zone-member security INSIDE
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
description PPPoE xDSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1460
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <username>
ppp chap password 0 <password>
ppp pap sent-username <username> password 0 <password>
ppp ipcp route default
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended INSIDE-TO-OUTSIDE
permit ip host 207.108.121.176 any
permit ip host 207.108.121.177 any
permit ip host 207.108.121.178 any
permit ip host 207.108.121.179 any
permit ip host 207.108.121.180 any
permit ip host 207.108.121.181 any
permit ip host 207.108.121.182 any
permit tcp host 207.108.121.180 any eq smtp
permit tcp host 207.108.121.180 any eq 993
permit udp host 207.108.121.177 any eq domain
permit udp host 207.108.121.180 any eq domain
permit udp host 207.108.121.182 any eq domain
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any host 207.108.121.176
permit icmp any host 207.108.121.177
permit icmp any host 207.108.121.178
permit icmp any host 207.108.121.179
permit icmp any host 207.108.121.180
permit icmp any host 207.108.121.181
permit icmp any host 207.108.121.182
permit udp any host 207.108.121.180 eq domain
permit udp any host 207.108.121.177 eq domain
permit udp any host 207.108.121.182 eq domain
permit tcp any host 207.108.121.180 eq 993
permit tcp any host 207.108.121.180 eq smtp
!
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
exec-timeout 5 30
password <password>
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
password <password>
transport input all
!
scheduler allocate 20000 1000
!
end

Yes Cisco would be the Server.

However, to run anyconnect on mobile you will need license and also for laptop.
In case you'll purchase these licenses, here a link on how to configure:
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html

Here a config for std IPSEC connection:

username vpnuser secret PasswordVPN
!
crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 14
crypto isakmp client configuration address-pool local POOLVPN
!
crypto isakmp client configuration group EzVPN
key XXXXXXX --> PSK for VPN Group
dns 8.8.8.8 --> Your DNS Server
domain test.test --> Your domain name (DNS suffix)
pool POOLVPN
acl 150 --> ACL to allow traffic when connected to VPN
netmask 255.255.255.0 --> Netmask of your POOL
!
crypto isakmp profile EzVPN-PROFILE
match identity group EzVPN
client authentication list VPN
isakmp authorization list EzVPN
client configuration address respond
client configuration group EzVPN
virtual-template 99
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROFILE-IPSEC-EZVPN
set transform-set TS
set isakmp-profile EzVPN-PROFILE
!
interface Loopback99
ip address 10.252.0.254 255.255.255.0
!
interface Virtual-Template99 type tunnel
ip unnumbered Loopback99
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE-IPSEC-EZVPN
!
ip local pool POOLVPN 10.252.0.1 10.252.0.10
!
access-list 150 permit ip 192.168.0.189 0.0.0.0 any
access-list 150 permit ip 10.252.0.0 0.0.255.255 any
!
ip route 192.168.0.189 255.255.255.255 207.108.121.176
!

In addition to that, you have right now ZBF implemented and need to modify your config to be allow inbound VPN traffic.
For this purpose I suggest to create a new zone called ezvpn.

zone security Ezvpn
!
ip access-list extended outsideacl
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any traceroute
permit icmp any any time-exceeded
permit icmp any any unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
!
class-map type inspect match-all OUT-TO-SELF
match access-group name outsideacl
!
policy-map type inspect OUT-TO-SELF
class type inspect OUT-TO-SELF
inspect
class class-default
drop log
!
zone-pair security OUTSIDE->Self source OUTSIDE destination self
service-policy type inspect OUT-TO-SELF
!
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect ALLPROTO
class type inspect All_Protocols
inspect
class class-default
drop
!
zone-pair security Ezvpn->INSIDE source Ezvpn destination INSIDE
description EzVPN to LAN
service-policy type inspect ALLPROTO
!
zone-pair security Ezvpn->Self source Ezvpn destination self
service-policy type inspect ALLPROTO
zone-pair security Self->Ezvpn source self destination Ezvpn
service-policy type inspect ALLPROTO
zone-pair security INSIDE->Ezvpn source INSIDE destination Ezvpn
service-policy type inspect ALLPROTO
!
interface Loopback99
zone-member security Ezvpn
!
interface Virtual-Template99 type tunnel
zone-member security Ezvpn
!

I hope I didn't forget anything.

Now on your side, on the Wireless router, I bet it's doing NAT for internal devices to access internet because no nat config on your Cisco router.

You'll need to add a route:

 - Access 10.252.0.0 255.255.255.0, next hop is your Cisco Router inside IP: 207.108.121.182

- Nat Exemption when communication between 192.168.0.189 to 10.252.0.0/24

 [EDIT].

I forgot to say how to configure the IPSEC client:

- Servername: I put te Dialer1 interface then you need to get this IP 

- GroupName: EzVPN

- Password: the Key you configured under crypto isakmp client configuration group EzVPN

- username and password: The first line I put on the config (adapt it with the user and pwd you choosed)

You're welcome