| Executive Summary: |
Working with a Cisco router and the Cisco Internetworking Operating System (IOS) is a great way to experiment with networking concepts and gear and could be good for your career development. Learn the basic steps of setting up a Cisco router to provide Internet access to a small network.
Working with a Cisco router and the Cisco Internetworking Operating System (IOS) is a great way to experiment with networking concepts and gear and could be good for your career development. You can get some hands-on IOS experience by setting up a Cisco router at the Internet edge in your test lab at work or in your home office. A Cisco router allows you greater flexibility (with more granular controls than the Linksys or NETGEAR hardware commonly used in home offices) if you later want to expand your setup to include, say, a Microsoft ISA Server firewall on the back end.
Let’s go through the basic steps of setting up a Cisco router to provide Internet access to a small network. I’ll assume you have some basic IOS knowledge, including how to log on and how to save and clear configurations. I’ll also assume that you have a solid understanding of networking, including what Network Address Translation (NAT) is. I won’t cover items such as setting up Secure Shell (SSH) access and hardening access lists. You can expand into those areas as you feel comfortable and want to experiment more.
What You’ll Need
You need a Cisco router with at least two Ethernet interfaces. An 806, 836, 851, or 871 is ideal for a home or small office setup—in fact, that’s what those models are geared towards. You can buy an 851 for a few hundred dollars from various online retailers. However, a 2610 works just as well, and you might have one sitting in the equipment bin at your office that you can ask to borrow.
Your router should have IOS 12.2 or later. This article is based on a Cisco 851W with IOS 12.4, including the IOS firewall feature set.
You also need a Cisco console cable (sometimes called a rollover cable). One end has an eight-position, eight-conductor modular jack to connect to the router; the other end has a DB-9 serial connector. In recent years, the console cables that Cisco has shipped with its equipment have been light blue.
You need a computer with a DB-9 serial port. In my experience, USB-to-serial converters work just fine for this application. You also need a computer with a terminal emulation program. Hilgraeve’s HyperTerminal is available with Windows XP, but it was removed from Windows Vista. Vista users can download Hyper- Terminal Private Edition 6.3 at www.hilgraeve.com/htpe/download.html. Mac OS X users can Google for ZTerm, and Linux users, for minicom.
1. Connect the router to the PC, and start a terminal emulation program
Connect your router to your PC with the console cable, and fire up your terminal emulation program. The port settings are 9600,8,N,1. If you’ve never before accessed a device directly via an asynchronous serial connection, you might want to ask a Cisco veteran for some assistance.
Start with the command enable to get into privileged EXEC mode. Then type the command erase startup-config to get a blank configuration. Next, restart the router with the reload command. Make sure to say no to an IOS prompt that asks if you’d like to enter the initial configuration dialog.
These steps might sound confusing if you’ve worked only with Cisco devices that are up and running in production. In that case, you’re probably more accustomed to using Telnet, or preferably SSH, to configure the equipment. That isn’t an option when you want to start with a blank configuration, which will prevent any Telnet or SSH access to the equipment for the time being.
2. Identify the router’s interfaces
Take a look at the back of your router and identify which Ethernet ports you’ll be using for what. One will connect to your WAN device, such as a cable modem; another will connect to your LAN. If you’re using an 851W, like me, you’ll notice that the ports are labeled for you—FastEthernet4 is the WAN interface and FastEthernet0 through FastEthernet3 are the LAN interfaces. The 851 includes a built-in four-port switch, hence the four LAN interfaces.
If your router’s interfaces aren’t labeled, you can type the command
show ip interface brief
from privileged EXEC mode to find the names.
3. Configure IP addresses
Now you can begin the actual setup. You should still be in privileged EXEC mode (if not, enter the enable command), and start terminal configuration mode by entering
Type the command
no ip domain lookup
to prevent IOS from attempting to convert any spelling mistakes you make into domain names. You can skip this step if you’re a perfect typist, I suppose.
You might also want to enter the command
no logging console
to prevent IOS from outputting syslog messages to the console as you’re working. These can interfere greatly with your typing.
Now you’re ready to set up an IP address for the LAN interface. In the case of the 851W that this article is based on, you do this on a virtual interface called BVI1 that relates to the physical LAN interfaces. On other routers, you might do this on the actual physical interface. Type
to enter the configuration mode for that interface. For the 851W, the command was
Now, assign the interface an IP address:
ip address <address> <netmask>
I’m using 192.168.100.1 with a Class C mask, so my command looked like this:
ip address 192.168.100.1
(The command is on two lines for publication purposes, but be sure to enter it all on one line.) You can also use Classless Inter-Domain Routing (CIDR) notation if you prefer, which would look like this:
ip address 192.168.100.1/24
You’ll also need to set the WAN interface to use DHCP to obtain its IP address. To do this, type
followed by the command
ip address dhcp
followed by the exit command to leave the interface configuration mode.
4. Set up access lists
Next, you need to configure two access lists, both of which will be applied in the inbound direction. Note that in the remainder of this article, I use the terms inbound and outbound frequently. As Figure 1 shows, inbound refers to traffic entering the interface; outbound refers to traffic leaving the interface.
Listing 1 shows the two access lists: The first will be applied to the LAN interface (in my case, BVI1), and the second will be applied to the WAN interface (in my case, FastEthernet4).
Access list 100 will be applied to the LAN interface. The first line sets up the access list and places the router in access list configuration mode. The next line allows any IP traffic matching the network (192.168.100.0/24) to pass into the interface. If the subnet mask looks odd to you, that’s not a typo. IOS uses inverse subnet masks in its access lists. You can compute these manually quite easily by subtracting each octet of your standard mask from 255. So mask 255.255.252.0 becomes 0.0.3.255, 255.252.0.0 becomes 0.3.255.255, and so on.
The third line denies any other traffic from entering the LAN interface. Although all access lists have an implicit deny all at the end, including an explicit deny line is a good practice so that you know where your access list ends and to aid the readability of your configuration. The final line takes the router out of access list configuration mode.
Access list 101 will be applied to the WAN interface. The first line sets up the access list and places the router in access list configuration mode. I use a cable modem, so the next line allows DHCP (bootps and bootpc) traffic to enter the WAN interface. Without this entry, my WAN interface would never receive a public IP address, and I’d never get on the Internet. You can use the same configuration in a test lab as long as you have a DHCP server set up and your networking team is OK with what you’re doing. The third and fourth lines allow any TCP and UDP traffic from any source destined for anywhere to enter the WAN interface.
The fifth, sixth, and seventh lines allow any Internet Control Message Protocol (ICMP) traffic that’s from any source; is headed for any destination; and is an echo-reply, time-exceeded, or unreachable message to enter the WAN interface. You should be cautious about which types of ICMP traffic you allow on your network because ICMP can be used for various exploits, especially Denial of Service (DoS) attacks. However, you need these three lines to use ping and traceroute for troubleshooting. The last two lines are the same as in the LAN access list.
5. Configure basic TCP/UDP/ ICMP inspection
My IOS version includes the IOS firewall feature set. If yours does as well, you’ll definitely want to use it. Although the IOS firewall doesn’t offer the deep application-layer inspection that, say, an ISA Server firewall does, enabling it is a good idea for two reasons. The first is to ensure that traffic which is claiming to be TCP, UDP, or ICMP is in fact TCP, UDP, or ICMP. The second is that enabling this inspection also enables Context-Based Access Control. CBAC allows IOS to create dynamic access list entries that allow return traffic to flow through the router. Although our access lists above are very generic (e.g., all TCP is allowed), once your setup is working, you’ll certainly want to harden them, set up internal servers reachable from the Internet, and so on. After you’ve done that, CBAC will allow return traffic to pass through the router. For example, if you browse to Amazon.com, CBAC will dynamically place entries in the inbound access list applied to your external (WAN) interface to allow return traffic from Amazon.com to enter the router. When the connection is closed, these entries are dynamically removed.
First, set up a TCP SYN timeout threshold to help mitigate SYN flood DoS attacks:
ip tcp synwait-time 30
This command tells IOS to drop any TCP session that’s not established within 30 seconds.
Next, set up an inspection rule each for ICMP, TCP, and UDP:
ip inspect name InspectRule icmp
ip inspect name InspectRule tcp
ip inspect name InspectRule udp
(You can substitute a name you prefer for InspectRule.)
6. Apply the access lists and inspection rules
Now, apply both the access lists and the inspection rules to the appropriate interfaces in the inbound direction. For the WAN interface—in my case, FastEthernet4— first enter the interface configuration mode:
Then apply the access list:
ip access-group 101 in
(Note that you use access-group, not access-list here.) Then apply the inspection rule:
ip inspect InspectRule in
And finally, exit the interface configuration mode:
Next, for the LAN interface (BVI1, in this example), type:
ip access-group 100 in
ip inspect InspectRule in
Some of you sharpies might be wondering if you could apply the IP inspection rule in the outbound direction as well as or in place of the inbound direction. The answer is yes, you can.
7. Set up NAT
You now need to set up NAT to translate addresses between the internal 192.168.100.0/24 network and the public Internet. First, set up an access list to be used only for NAT:
ip access-list standard 10
permit 192.168.100.0 0.0.0.255
As before, the first line places the router in access list configuration mode. Note that the access list here is standard and not extended. Standard access lists allow only traffic from specific IP addresses or networks to be permitted or denied. They don’t let you specify the destination or type of traffic as extended access lists do. The second line identifies the traffic that you want to translate. The above code allows any traffic on the internal LAN to be translated for the Internet. The third line prevents any other traffic from being translated, and the fourth line takes the router out of access list configuration mode.
Next, you identify to IOS which interfaces will participate in NAT:
ip nat inside
ip nat outside
These lines tell IOS that the LAN interface, BVI1, will contain the addresses that need to be translated, while the WAN interface, FastEthernet4, contains the external addresses to which the internal addresses will be translated.
Finally, you enter the actual NAT statement (all on one line):
ip nat inside source list 10
interface FastEthernet4 overload
This command tells IOS to translate any address identified in access list 10 to the address assigned to FastEthernet4. The overload keyword allows one public address to be shared among several internal private addresses.
8. Enable interfaces, and disable STP
You’re almost ready to test your configuration. First, though, you need to ensure that each interface is not in a shutdown state. To do so for FastEthernet4, type:
You’ll want to do this for every physical interface on your router.
At this point, you can disconnect the console cable and connect the PC to a LAN port on the router with an Ethernet cable. You can then access the router by opening a Telnet connection (preferably secured with SSH) to the router’s LAN IP address. Keep the console cable handy, though, in case you make a configuration change that prohibits Telnet access. A Telnet client is included with most OSs.
You also might want to disable Spanning Tree Protocol (STP) on your internal LAN interface(s) if your router allows that. If you plan on setting up a complex network of switches on your network, then don’t disable STP; but for a small network, disabling STP lets your internal LAN devices connect to your router up to 30 seconds faster. For each LAN interface (in my case, FastEthernet0 through FastEthernet3), enter
9. Test your configuration
Now is a good time to save your configuration. Type
copy running-config startup-config
to save your work to nonvolatile memory and ensure that your configuration is retained across router restarts, power outages, and so on.
You should also enter the command
to output a copy of the configuration you just created to your screen. You can copy and paste this configuration to a text editor for later reference. You can also edit the configuration in a text editor and paste it into a terminal session to make changes to the router. Your configuration should look similar to Listing 2 at this point. Note that Listing 2 omits many configuration lines that are automatically inserted or included by default. Listing 2 focuses on the commands that you entered above.
You can now connect an Ethernet cable to the router’s WAN port, and try to get on the Internet. Note that your internal LAN hosts will need to use static IP addressing if you don’t have a DHCP server present.
The possibilities from here are endless. You will most certainly want to set up usernames and passwords for access to your router, set up Telnet and/or SSH access (if you haven’t already), and limit that access to various IP addresses. You should also consider modifying your access lists to deny private, non-routable (aka bogon) IP ranges from being able to reach your network.
You can also make your router a DHCP server, set up VPN access with the router as an endpoint, add NAT statements and access list entries to access a Web server on your internal network from the Internet, or put an ISA Server firewall between your router and your LAN clients. Over time, I’ve tweaked my setup to become much more complex than the one presented in this article. Don’t be afraid to read some additional documentation (I highly suggest the Cisco Field Manual series published by Cisco Press), ask questions of your resident Cisco gurus, and experiment!