This article outlines the various commands needed to configure a Cisco router used for home, small business, or branch office networks. A Cisco 861 was used to prepare the configurations, but they will work on most any Cisco router. Also please be advised that K9 license is required to enable VPN configuration commands.
Router Authentication
!
! Set the router’s administrator password to ‘mypassword’
!
enable secret mypassword
!
! Create a new user ‘snabbr’ with password ‘mypassword2’
!
username snabbr privilege 15 secret mypassword2
!
! Use the ‘aaa new-model’ to allow the local username above to be
! used on the router
!
aaa new-model
!
! Now we enable SSH over the virtual terminal
! SSH requires that hostname and domain be set.
!
hostname c861
ip domain name snabbr.com
!
! While we’re at it, lets also add global DNS servers
!
ip name-server 167.206.112.138
ip name-server 167.206.7.4
!
! Generate your SSH keys
!
crypto key generate rsa
!
! Enable SSH over the vtys’
!
line vty 0 4
transport input telnet ssh
WAN Configuration
We will be using the 24.187.228.122/29 subnet for the WAN, with 24.187.228.122 as the local WAN IP address.
!
! Select the router interface connecting to the internet (your ISP)
!
interface FastEthernet4
!
! Configure your WAN IP address and subnet mask
!
ip address 24.187.228.122 255.255.255.248
!
! Enable the interface
!
no shutdown
Security with ACL’s
!
! Access Control List 101
!
access-list 101 remark Traffic leaving home network
access-list 101 permit tcp 24.187.228.120 0.0.0.7 any eq ftp
access-list 101 permit tcp 24.187.228.120 0.0.0.7 any eq ftp-data
access-list 101 permit tcp 24.187.228.120 0.0.0.7 any eq 22
access-list 101 permit tcp 24.187.228.120 0.0.0.7 any eq smtp
access-list 101 permit udp 24.187.228.120 0.0.0.7 any eq domain
access-list 101 permit tcp 24.187.228.120 0.0.0.7 any eq www
access-list 101 permit tcp 24.187.228.120 0.0.0.7 any eq 123
access-list 101 permit tcp 24.187.228.120 0.0.0.7 any eq 587
access-list 101 permit tcp 24.187.228.120 0.0.0.7 any eq 993
access-list 101 permit tcp 24.187.228.120 0.0.0.7 any eq 443
access-list 101 permit tcp 24.187.228.120 0.0.0.7 any eq 3689
access-list 101 permit tcp 24.187.228.120 0.0.0.7 any eq 5223
access-list 101 permit udp 24.187.228.120 0.0.0.7 any eq 5353
!
! Access Control List 102
!
access-list 102 remark Traffic entering home network
access-list 102 permit tcp any 24.187.228.120 0.0.0.7 established
access-list 102 permit tcp any host 24.187.228.122 eq 22
access-list 102 permit udp any eq domain any
!
! We are going to enable these access lists on our WAN link
!
interface FastEthernet4
!
! ACL 101 defines what access users behind router c861 have. They have
! been given access to SSH, SMTP, DNS, HTTP/S, mail services, and common
! ports required by Apple (ie. Apple Store, push notifications, etc.). ACL 101 will
! need to be applied on all traffic leaving the WAN.
!
ip access-group 101 out
!
! ACL 102 defines what can be accessed on the internal network from the Internet.
! any established connections as defined in ACL 101 are allowed as specified
! with the ‘established’ keyword, as well as internal SSH and DNS services.
! ACL 102 will need to be applied on all traffic coming in from the Internet
!
ip access-group 102 in
LAN and NAT Configuration
We will need to configure NAT to allow internet users to access the internet. Internal users will be set up with the 10.0.0.0/24 subnet.
!
! Set up a VLAN with an IP of 10.0.0.1 on the 10.0.0.0/24 subnet
!
interface Vlan1
ip address 10.0.0.1 255.255.255.0
!
! Define VLAN 1 as a NAT inside interface
!
ip nat inside
!
! Configure DHCP pool ‘vlan1pool’
!
ip dhcp pool vlan1pool
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 167.206.7.4
!
! Reserve some IP address to be configured statically
!
ip dhcp excluded-address 10.0.0.1 10.0.0.30
!
! Define your WAN port as a NAT outside interface
!
interface FastEthernet4
ip nat outside
!
! Configure an access list that specifies the subnet to be NAT’d
!
access-list 103 remark NAT
access-list 103 permit ip 10.0.0.0 0.0.0.255 any
!
! Enable any packets received on the inside interface that match access list 103
! to have their source address translated to the IP configured on the WAN interface.
! The overload option allows for multiple inside IP addresses to be translated into
! the same outside public IP.
!
ip nat inside source list 103 interface FastEthernet4 overload
IPSec VPN
!
! Configure a pool of IP’s to be distributed to VPN connections, called ‘vpn-pool’
!
ip local pool vpn-pool 172.16.1.1 172.16.1.65
!
! Configure an access list to identify which traffic is to be encrypted
!
access-list 104 remark VPN
access-list 104 permit ip 10.0.0.0 0.0.0.255 any
access-list 104 permit ip 10.0.0.0 0.255.255.255 any
!
! Configure isakmp policy
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
! Configure the ISAKMP client with a group name of ‘vpn’
!
crypto isakmp client configuration group vpn
!
! Set the ISAKMP pre-shared key as ‘mypsk’
!
key mypsk
!
! Configure the DNS servers to use for VPN connections
!
dns 167.206.112.138 167.206.7.4
!
! Configure the domain
!
domain snabbr.com
!
! Apply the local vpn pool
!
pool vpn-pool
!
! Apply ACL 104
!
acl 104
!
! If you want users to be able to save their login info in their VPN clients,
! add this line
!
save-password
!
! Configure the IPSec transform-set called ‘ESP-3DES-SHA’
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
! Configure a crypto dynamic-map
!
crypto dynamic-map crypto-dynmap 1
set security-association lifetime seconds 3600
set transform-set ESP-3DES-SHA
qos pre-classify
!
! Configure a crypto map to tie in the ISAKMP pre-shared key, IPSec
! transform-set, and the ACL.
!
crypto map crypto-map client authentication list vpn-xauth-fa4
crypto map crypto-map isakmp authorization list vpn-group-fa4
crypto map crypto-map client configuration address respond
crypto map crypto-map 65535 ipsec-isakmp dynamic crypto-dynmap
!
! Add the authentication, authorization, and accounting
!
aaa authentication login default local
aaa authentication login rtr-remote local
aaa authentication login vpn-xauth-fa4 local
aaa authorization network rtr-remote local
aaa authorization network vpn-group-fa4 local
!
! Define new user ‘remote’ with limited privileges to be used for VPN access
! identified by password ‘mypassword3’
!
username remote privilege 0 secret mypassword2
!
! Apply the crypto map to the external WAN interface
!
interface FastEthernet4
crypto map crypto-map
!
! We also need to unblock vpn in our ACL
!
access-list 102 permit esp any host 24.187.228.122
access-list 102 permit udp any host 24.187.228.122 eq isakmp
access-list 102 permit udp any host 24.187.228.122 eq non500-isakmp
Default Route
!
! Configure traffic destined to an unknown location to leave the
! FastEthernet4 interface
!
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
! Configure traffic destined to an unknown location to hop over to the next hop IP
! address
!
ip route 0.0.0.0 0.0.0.0 24.187.228.121
Save your work!
copy running-config startup-config
Please leave some comments and let me know how this worked out for you.
