I have been thinking for some time to purchase Ciscon ADSL modem to experiment and learn new stuff. Finally the day come and my Cisco 887VA arrived.
In this article I will show you how to configure Cisco 887VA ADSL Router. This basic configuration can be useful for any ADSL connection whether its for home or business.
Basic Cisco Configuration
Reset Device Configuration
en conf t erase nvram: write default-config reload
You can choose to enter basic management setup or set your router manually.
Would you like to enter basic management setup? [yes/no]: no
Change password encryption (You may skip this if the device does not support it)
conf t password encryption aes end
Secure user access
conf t enable secret PASSWORD123 line vty 0 4 login local exit line console 0 login local exit username admin privilege 15 secret PASSWORD123 end
Set Hostname
conf t hostname johny5 end
Stop domain lookup if mess up typing domain name, you will not have to wait for long time
conf t no ip domain-lookup end
Set Aliases
conf t alias exec s show ip int br alias exec sr show run end
Do not log when typing
conf t line console 0 logging synchronous exit line vty 0 4 logging synchronous end
Logout after inactivity (minutes)
conf t line console 0 exec-timeout 5 exit line vty 0 4 exec-timeout 5 end
Set Clock (with Daylight Saving for Australia/Sydney)
conf t clock timezone EST +10 clock summer-time DST recurring first Sunday October 02:00 first Sunday April 03:00 clock set 02:56:59 3 January 2013 end show clock
Set NTP Client
conf t ntp server 1.au.pool.ntp.org ntp server 0.au.pool.ntp.org end
Set SNTP Client (on devices without NTP client)
conf t sntp server <ip_addresss> end
SSH configuration
conf t ip domain-name domain.tld crypto key generate rsa modulus 1024 ip ssh version 2 end
Cisco 887va IP Configuration
Configure IP on VLAN interface
conf t interface Vlan 1 ip address 192.168.3.1 255.255.255.0 end
Show VLANs and port assigment
show vlan-switch
Cisco 887va ADSL2+ Configuration
Configure ADSL (operating mode {auto | adsl1 | adsl2 | adsl2+ | vdsl2 | ansi})
conf t controller vdsl 0 operating mode auto end
Configure Dialer Interface
conf t interface Dialer0 description WAN Interface ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username USERNAME password 0 PASSWORD ppp ipcp dns request ppp ipcp route default ppp ipcp address accept end
Configure ATM interface
conf t interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp load-interval 30 no atm ilmi-keepalive no snmp trap link-status pvc 8/35 tx-ring-limit 3 pppoe-client dial-pool-number 1 end
Create a dialer list and associates a dial group with it
conf t dialer-list 1 protocol ip permit end
Show ADSL sync
show controller VDSL 0
Note: You still have to configure NAT to get access to the internet.
Configure NAT
Create Access List for NAT (from LAN to WAN)
conf t ip access-list extended aclAllowNat remark --- Traffic allowed to be NATed from inside to out. remark --- Block NAT traffic to RFC1918 addresses verbosely deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 192.168.0.0 0.0.255.255 permit ip 192.168.x.0 0.0.0.255 any end
Configure NAT
conf t ip nat inside source list aclAllowNat interface Dialer0 overload interface vlan1 ip nat inside exit interface dialer 0 ip nat outside end
Note: You should be able to ping internet now. Eg: 8.8.8.8
IP Route
ip route 0.0.0.0 0.0.0.0 Dialer0
Port Forwarding
Example of port forwarding:
ip nat inside source static tcp 192.168.x.x 22 interface dialer0 22 ip nat inside source static udp 192.168.30.12 5060 interface Dialer0 5060
DNS Server Configuration
Router(config)#ip dns server Router(config)#ip domain lookup
Note: IP domain lookup must be configured that your network clients can resolve DNS.
Note: If you don't configure DNS server on your 887VA you will have to use ISP's DNS server in DHCP Server configuration.
Verify name servers assigned from ADSL connection
Router#sh ip name-server
Verify DNS
Router#sh ip dns view
DHCP Server Configuration
Router(config)#ip dhcp excluded-address 192.168.3.1 192.168.3.99 Router(config)#service dhcp Router(config)#ip dhcp pool DHCP-POOL Router(dhcp-config)#network 192.168.3.0 255.255.255.0 Router(dhcp-config)#default-router 192.168.3.1 Router(dhcp-config)#dns-server 192.168.3.1 Router(dhcp-config)#domain-name home.local Router(dhcp-config)#import all Router(dhcp-config)#exit Router(config)#end
Firewall Configuration
Create Access List for SSH to router access
conf t ip access-list standard aclQuietMode remark --- Enter Subnets allowed to SSH to router permit 192.168.x.0 0.0.0.255 end
Create Access List for Telnet to router access
conf t ip access-list standard aclTelnet remark --- Enter Subnets allowed to Telnet to router permit 192.168.x.0 0.0.0.255 end
Zone Based Firewall (2 zones)
Define class-maps that describe the traffic that you want to permit between zones:
You have got two options here. You can either use access-groups or services. Here is an example for both.
Option 1 (using access-groups)
Allow everything out to the internet:
conf t ip access-list extended private-to-internet permit ip 192.168.30.0 0.0.0.255 any end
Allow SIP from internet to private just from one SIP provider (to prevent attacks)
conf t ip access-list extended internet-to-private permit tcp any host 192.168.30.10 eq 22 permit udp host 202.85.243.115 host 192.168.30.12 eq 5060 end
Note: Both SSH and SIP protocols are included in port forwarding.
class-map type inspect match-all private-to-internet-class match access-group name private-to-internet exit class-map type inspect match-all internet-to-private-class match access-group name internet-to-private end
Option 2 (without access-group using services)
class-map type inspect match-any private-to-internet-class match protocol tcp match protocol udp match protocol icmp exit class-map type inspect match-any internet-to-private-class match protocol ssh end
Note: The class-maps specifying services use the match-any keyword to allow any of the listed services. The class-maps associating ACLs with the service class-maps use the match-all keyword to require that both conditions in the class map must be met to allow traffic
Configure a policy-map to inspect traffic on the class-maps you just defined:
policy-map type inspect internet-to-private-policy class type inspect internet-to-private-class inspect exit class class-default drop log end conf t policy-map type inspect private-to-internet-policy class type inspect private-to-internet-class inspect exit class class-default drop log end
Configure Zones:
conf t zone security internet zone security private end
Assign interfaces to their respective zones:
conf t interface vlan 1 zone-member security private end
conf t interface dialer 0 zone-member security internet end
Verify:
Router#show zone security
Configure Zone Pairs and apply the appropriate policy-map:
conf t zone-pair security private-to-internet source private destination internet service-policy type inspect private-to-internet-policy zone-pair security internet-to-private source internet destination private service-policy type inspect internet-to-private-policy end
Verify:
show zone-pair security
Post configuration tasks
Change your NAT command to use the zone policy (optional):
from:
ip nat inside source list aclAllowNat interface Dialer0 overload
to:
ip nat inside source list private-to-internet interface Dialer0 overload
Zone Self
Prevent access from public networks to the router:
class-map type inspect match-any public-to-self-class match protocol ssh match protocol icmp policy-map type inspect public-to-self-policy class type inspect public-to-self-class pass class class-default drop log
zone-pair security internet-to-self source internet destination self description Inbound traffic from internet network to self service-policy type inspect public-to-self-policy