So you bought this great Cisco IOS router for wopping $50 bucks on Ebay or Amazon and would like to put it work at your home. I do not blame you. Even an ancient model of Cisco router may provide greater flexibility and more options than some standard consumer Netgear or Syslink router. The huge question is how to you configure your (not-so-) shiny and (not-so-) new Cisco router to be used at home. Many features of newer GUI-based routers can be configured from within the browser. With older Cisco router, in order to configure it, we will dive right in the IOS CLI. Before we start, in my case this is a Cisco 870 router, but you can use this tutorial to configure most of the older Cisco routers for home use. So as you may have guessed, step number one is to make sure you have console connection to your router. Once you are in, make a note of its interfaces. By running
show ip interfaces brief
… or as a Cisco engineer would put it:
sh ip int br
In my case my router had 5 interfaces labeled accordingly: FastEthernet0, FastEthernet1, FastEthernet2, FastEthernet03 and FastEthernet4. Your hardware may be different. For example you may have GigabitEthernet1/1 and GigabitEthernet1/2. The only reason it is important to you is because you will need to determine in which interface to plug in the network cable from your modem (aka “external”) and the interfaces(s) to plugin the network cable(s) connecting to your equipment or home hub/swith (aka “internal”). In my case I am using FastEthernet4 for external connection and FastEthernet0/1/2/3 for internal connections. So without further ado, here is the configuration file.
hostname Router-1 ! no logging console no logging monitor enable password mypassword ! no aaa new-model ! resource policy ! clock timezone EST -5 clock summer-time EST recurring ip subnet-zero ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 192.168.1.150 ! ! yes, we will be creating a DHCP server and DHCP scope ! on you Cisco router ! ip dhcp pool my-dhcp-pool network 192.168.1.0 255.255.255.0 dns-server 184.108.40.206 default-router 192.168.1.1 ! ! let us use Google's DNS server for all DNS queries ! ip name-server 220.127.116.11 ! interface FastEthernet0 switchport access vlan 10 no shut ! ! plugin your home equipment in the next 3 interfaces ! interface FastEthernet1 switchport access vlan 10 no shut ! interface FastEthernet2 switchport access vlan 10 no shut ! ! interface FastEthernet3 switchport access vlan 10 no shut ! ! this is configuraton of the interface connecting to your ISP ! as you see, it is configured to run DHCP client ! once you are done configring, you can check if it works, ! by running 'show ip interface brie' ! and confirming that FastEthernet obtained a true internet address ! interface FastEthernet4 description *** Outside ISP *** ip address dhcp ip access-group 101 in ip nat outside no ip route-cache cef no ip route-cache duplex auto speed auto no cdp enable ! vlan 10 Name MyHome_VLAN_192.168.1.0/24 ! ! ip nat inside source list 102 interface FastEthernet4 overload ! interface Vlan 10 description *** Inside LAN *** ip address 192.168.1.1 255.255.255.0 ip nat inside ! ip classless ! no ip http server ip nat inside source list 102 interface FastEthernet4 overload ! ! Access list 101 basically says: ! Do not allow anyone to initiate TCP connections from the outside ! Only allow pings from the outside ! ip access-list logging interval 10 logging history notifications access-list 101 permit tcp any any established access-list 101 permit icmp any any access-list 101 permit udp any any access-list 101 deny ip any any access-list 102 permit ip 192.168.1.0 0.0.0.255 any ! control-plane ! ! line con 0 password MyPassword login line aux 0 line vty 0 4 password MyPassword login !
If you would like to “punch hole” in your external access in order to allow specific protocol from specific source to specific destination you can insert this a line similar to these.
! these 3 lines allow telnet and RDP traffic ! brom any internet address which begins with 69.1.1.x access-list 101 permit tcp 18.104.22.168 0.0.0.255 any eq telnet access-list 101 permit tcp 22.214.171.124 0.0.0.255 any eq 3389 access-list 101 permit tcp 126.96.36.199 0.0.0.255 any eq 3390 ! these 3 line map external reqests for telnet ! to internal device 192.168.1.100 ! it also allows to ! RDP to internal PC 192.168.1.110 on port 3389 ! and ! RDP to internal PC 192.168.1.120 on port 3390 ! ! only from internet IP addresses beginning with 69.1.1.x ! ip nat inside source static tcp 192.168.1.100 25 interface FastEthernet0/0 25 ip nat inside source static tcp 192.168.1.110 3389 interface FastEthernet0/0 3389 ip nat inside source static tcp 192.168.1.120 3390interface FastEthernet0/0 3389
Just a reminder, in Cisco configuration file, anything preceeded with a ‘!’ is ignored, including comments. Don’t forget to backup your router configuration! I hope you enjoyed your journey in the world of 20 year old Cisco routers. Enjoy and stay tuned!