Cisco 806 Router Software Configuration Guide

Book Contents

Find Matches in This Book

Available Languages

Download Options

Book Title

Cisco 806 Router Software Configuration Guide

Chapter Title

Network Scenarios

PDF - Complete Book (1.23 MB) PDF - This Chapter (399.0 KB)
View with Adobe Reader on a variety of devices

Results

Chapter: Network Scenarios

Virtual Private Network
Small Office/Telecommuter with Basic Security
Small Office/Telecommuter with Business-Class Security
Small Office/Telecommuter with Business-Class Security and Enterprise Applications
Ethernet Gateway

Network Scenarios

This chapter includes several network scenarios and their configurations for the Cisco 806 router. This chapter is useful if you are building a new network and want some guidance. If you already have a network set up and you want to add specific features, see "Feature-by-Feature Router Configurations."

The following scenarios are included:

•Virtual Private Network

•Small Office/Telecommuter with Basic Security

•Small Office/Telecommuter with Business-Class Security

•Small Office/Telecommuter with Business-Class Security and Enterprise Applications

•Ethernet Gateway

Each scenario is described in this chapter; a network diagram and configuration network examples are provided as models on which you can pattern your network. They cannot, however, anticipate all of your network needs. You can choose not to use features presented in the examples, or you can choose to add or substitute features that better suit your needs.

Note When you configure Ethernet interfaces, be aware that Ethernet 0 is the interface for hubbed ETHERNET ports 1 through 4, which support the local area network (LAN) on the premises, and Ethernet 1 is the interface for the INTERNET ETHERNET port.

Virtual Private Network

Figure 2-1 shows how the Cisco 806 router can be used in a virtual private network (VPN). The Cisco 806 router is linked to the Internet service provider (ISP) via a digital subscriber line (DSL) or a cable modem. Security is provided via IP security (IPSec) configuration.

Figure 2-1 Virtual Private Network

The following topics are covered in this section:

•Configuring Internet Protocol Parameters

•Configuring an Access List

•Configuring IPSec

•Configuring a Generic Routing Encapsulation Tunnel Interface

•Configuring the Ethernet Interfaces

•Configuring Static Routes

•Configuration Example

To configure additional features for this network, see "Feature-by-Feature Router Configurations."

Configuring Internet Protocol Parameters

Perform the following tasks to configure Internet Protocol (IP) parameters, starting in global configuration mode.


	Command	Task
Step 1	ip subnet-zero	Configure the router to recognize the zero subnet range as the valid range of addresses.
Step 2	no ip finger	Block incoming IP finger packets.
Step 3	no ip domain-lookup	Disable the router from interpreting unfamiliar words (typographical errors) entered during a console session as host names.
Step 4	ip classless	Follow classless routing forwarding rules.

Configuring an Access List

Use the access-list command to create an access list that permits the GRE protocol, and that specifies the starting and ending IP addresses of the GRE tunnel. Use the following syntax:

access-list 101 permit gre host ip-address host ip-address

In the preceding command line, the first host ip-address specifies the tunnel starting point, and the second host ip-address refers to the tunnel end point.

Configuring IPSec

Perform the following tasks to configure IPSec, starting in global configuration mode.


	Command	Task
Step 1	crypto isakmp policy 10	Define an Internet Key Exchange (IKE) policy, and assign the policy a priority. This command places the router in IKE policy configuration mode.
Step 2	hash md5	Specify the md5 hash algorithm for the policy.
Step 3	authentication pre-share	Specify pre-share key as the authentication method.
Step 4	exit	Exit IKE policy configuration mode.
Step 5	crypto isakmp key name address ip-address	Configure a pre-shared key and static IP address for each VPN client.
Step 6	crypto ipsec transform-set name esp-des esp-md5-hmac	Define a combination of security associations to occur during IPSec negotiations.
Step 7	crypto map name local-address ethernet 1	Create a crypto map, and specify and name an identifying interface to be used by the crypto map for IPSec traffic.
Step 8	crypto map name seq-num ipsec-isakmp	Enter crypto map configuration mode, and create a crypto map entry in IPSec ISAKMP mode.
Step 9	set peer ip-address	Identify the remote IPSec peer.
Step 10	set transform-set name	Specify the transform set to be used.
Step 11	match address access-list-id	Specify an extended access list for the crypto map entry.
Step 12	exit	Exit crypto map configuration mode.

Configuring a Generic Routing Encapsulation Tunnel Interface

Perform the following tasks to configure generic routing encapsulation (GRE) tunnel interface, starting in global configuration mode.


	Command	Task
Step 1	interface tunnel 0	Configure the Tunnel 0 interface.
Step 2	ip address ip-address subnet-mask	Set the IP address and subnet mask for the Tunnel 0 interface.
Step 3	tunnel source ethernet 1	Specify the Ethernet 1 interface as the tunnel source.
Step 4	tunnel destination default-gwy-ip-address	Specify the default gateway as the tunnel destination.
Step 5	crypto map name	Associate a configured crypto map to the Tunnel 0 interface.
Step 6	exit	Exit Tunnel 0 interface configuration.

Configuring the Ethernet Interfaces

Perform the following tasks to configure the Ethernet 0 and Ethernet 1 interfaces, starting in global configuration mode.


	Command	Task
Step 1	interface ethernet 0	Configure the Ethernet 0 interface.
Step 2	ip address ip-address subnet-mask	Set the IP address and subnet mask for the Ethernet 0 interface.
Step 3	exit	Exit Ethernet 0 interface configuration.
Step 4	interface ethernet 1	Configure the Ethernet 1 interface.
Step 5	ip address ip-address subnet-mask	Set the IP address and subnet mask for the Ethernet 1 interface.
Step 6	crypto map name	Associate a crypto map with the Ethernet 1 interface.
Step 7	end	Exit router configuration mode.

Configuring Static Routes

Perform the following tasks to configure static routes, starting in global configuration mode.


	Command	Task
Step 1	ip route default-gateway-ip-address mask ethernet 1	Create a static route for the Ethernet 1 interface.
Step 2	ip route default-gateway-ip-address mask tunnel 0	Create a static route for the Tunnel 0 interface.
Step 3	ip route default-gateway-ip-address mask gateway-of-last-resort	Create a static route to the gateway of last resort.
Step 4	end	Exit router configuration mode.

Configuration Example

This sample configuration shows IPSec being used over a GRE tunnel.You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the
show running-config command.

version 12.2

no service single-slot-reload-enable

no service pad (default)

service timestamps debug uptime (default)

service timestamps log uptime (default)

no service password-encryption (default)

hostname 806-uut1

logging rate-limit console 10 except errors

no logging console

enable password lab

username 3620-1 password 0 testme

ip subnet-zero

no ip finger

no ip domain-lookup

crypto isakmp policy 10

 hash md5

 authentication pre-share

crypto isakmp key cisco123 address 140.10.10.6

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map mymap local-address Ethernet1

crypto map mymap 10 ipsec-isakmp

 set peer 140.10.10.6

 set transform-set myset

 match address 101

interface Tunnel0

 ip address 11.0.0.1 255.0.0.0

 tunnel source Ethernet1

 tunnel destination 140.10.10.6

 crypto map mymap

interface Ethernet0

 ip address 192.168.2.100 255.255.255.0

interface Ethernet1

 ip address 140.10.10.5 255.255.255.0

 crypto map mymap

ip classless (default)

ip route 140.10.10.0 255.255.255.0 Ethernet1

ip route 192.168.1.0 255.255.255.0 Tunnel0

ip route 192.168.1.0 255.255.255.0 140.10.10.6

ip http server (default)

access-list 101 permit gre host 140.10.10.5 host 140.10.10.6

line con 0

 exec-timeout 0 0

 transport input none

 stopbits 1

line vty 0 4

 password lab

 login

scheduler max-task-time 5000

end

Small Office/Telecommuter with Basic Security

Figure 2-2 shows how the Cisco 806 router can be used to provide basic security to users in a small office or to a single telecommuter. The router is either connected to an xDSL modem or to a cable modem that has a connection to an ISP. The router is configured to provide private IP addresses to the devices connected to it, fast switching services, and basic security in the form of access lists and virtual private networking. The router uses Point-to-Point Protocol (PPP) over Ethernet, enabling the computer systems connected to the router to continue to use PPP to connect to the ISP. Private addressing for devices on the premises is provided by network address translation (NAT).

Figure 2-2 Small Office/Telecommuter with Basic Security Configuration

The following topics are covered in this section:

•Configuring the IP Parameters

•Configuring Dynamic Host Configuration Protocol Parameters

•Configuring a Virtual Private Dial-Up Network

•Configuring the Ethernet Interfaces

•Configuring the Dialer Interface

•Configuring the Access List

•Configuration Example

To configure additional features for this network, see "Feature-by-Feature Router Configurations."

Configuring the IP Parameters

Perform the following tasks to configure IP parameters, starting in global configuration mode.


	Command	Task
Step 1	ip subnet-zero	Configure the router to recognize the zero subnet range as the valid range of addresses.
Step 2	no ip finger	Block incoming IP finger packets.
Step 3	no ip domain-lookup	Disable the router from interpreting unfamiliar words (typographical errors) entered during a console session as host names.
Step 4	ip classless	Follow classless routing forwarding rules.

Configuring Dynamic Host Configuration Protocol Parameters

Perform the following tasks to configure Dynamic Host Configuration Protocol (DHCP), starting in global configuration mode.


	Command	Task
Step 1	ip dhcp excluded-address low-ip-address high-ip-address	Prevent DHCP from assigning one or more IP addresses.
Step 2	ip dhcp pool name	Enter DHCP configuration mode, and create a pool of IP addresses that can be assigned to DHCP clients.
Step 3	network address subnet-mask	Specify a range of IP addresses that can be assigned to the DHCP clients.
Step 4	default-router ip-address	Specify the default router.
Step 5	dns-server ip-address	Specify the DNS server.

Configuring a Virtual Private Dial-Up Network

Complete the following tasks to configure a virtual private dial-up network (VPDN), starting in global configuration mode.


	Command	Task
Step 1	vpdn enable	Enable VPDN.
Step 2	no vpdn logging	Disable VPDN logging.
Step 3	vpdn-group tag	Configure a VPDN group.
Step 4	request-dialin	Specify the dialing mode.
Step 5	protocol pppoe	Specify the tunneling protocol as PPPoE.
Step 6	end	Exit router configuration mode.

Configuring the Ethernet Interfaces

Configure the Ethernet interfaces by performing the following tasks, starting in global configuration mode.


	Command	Task
Step 1	interface ethernet 0	Configure the Ethernet 0 interface.
Step 2	ip address ip-address subnet-mask	Set the IP address and subnet mask for the Ethernet 0 interface.
Step 3	ip nat inside	Establish the Ethernet 0 interface as the inside interface.
Step 4	ip route-cache	Enable fast-switching cache for outgoing packets.
Step 5	ip tcp adjust-mss 1452	Set the maximum segment size (MSS) of TCP SYN packets. When this command is entered for Ethernet 0, it is automatically added to the Ethernet 1 interface configuration.
Step 6	exit	Exit Ethernet 0 interface configuration.
Step 7	interface ethernet 1	Configure the Ethernet 1 interface.
Step 8	no ip address	Disable IP addressing for the Ethernet 1 interface.
Step 9	pppoe enable	Enable PPPoE as protocol.
Step 10	pppoe-client dial-pool-number 1	Create the PPPoE dial pool.
Step 11	end	Exit router configuration.

Configuring the Dialer Interface

Complete the following tasks to configure the dialer interface, starting in global configuration mode.


	Command	Task
Step 1	ip route default-gateway-ip-address mask dialer 0	For the Dialer 0 interface, set the IP route for the default gateway.
Step 2	interface dialer 0	Enter Dialer 0 interface configuration.
Step 3	ip address negotiated	Specify that the IP address is to be negotiated over PPP.
Step 4	ip mtu 1492	Set the size of the IP maximum transmission unit (MTU).
Step 5	ip nat outside	Establish the Dialer 0 interface as the outside interface.
Step 6	encapsulation ppp	Set the encapsulation type to PPP.
Step 7	dialer pool 1	Specify the dialer pool to be used.
Step 8	dialer-group 1	Assign this interface to a dialer list.
Step 9	ppp authentication chap	Set the PPP authentication method to Challenge Handshake Authentication Protocol (CHAP).
Step 10	exit	Exit Dialer 0 interface configuration.

Configuring the Access List

The following steps will configure an access list that will enable the user to run any Transmission Control Protocol (TCP) application, but it will block other applications.

Complete the following tasks, starting in global configuration mode.


	Command	Task
Step 1	ip nat inside source list tag interface dialer 0 overload	Configure the NAT parameters for the Dialer 0 interface.
Step 2	access-list tag permit ip address wildcard-bits	Configure an access list that permits IP traffic.

Configuration Example

The configuration example that follows shows configurations for DHCP, VPDN, PPPoE, and access lists. Access list configurations in this example will allow TCP applications such as FTP, Telnet, and HTTP.

You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.

version 12.2

no service single-slot-reload-enable

no service pad (default)

service timestamps debug uptime (default)

service timestamps log uptime (default)

no service password-encryption (default)

hostname router1

no logging buffered

logging rate-limit console 10 except errors

ip subnet-zero

no ip finger

no ip domain-lookup

ip dhcp excluded-address 192.168.1.1

dhcp pool PrivateNet

 network 192.168.1.0 255.255.255.0

 default-router 192.168.1.1

 dns-server 140.10.10.1

no ip dhcp-client network-discovery

vpdn enable

vpdn-group 1

 request-dialin

  protocol pppoe

interface Ethernet0

 ip address 192.168.1.1 255.255.255.0

 ip tcp adjust-mss 1452 (required for router to reach all websites)

 ip nat inside

 ip route-cache

interface Ethernet1

 no ip address

 ip tcp adjust-mss 1452

 pppoe enable

 pppoe-client dial-pool-number 1

interface Dialer0

 ip address 140.10.10.5 255.255.255.0

 ip nat outside

 ip mtu 1492

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 ppp authentication chap

ip classless

! ACL For Nat

access-list 101 permit ip 192.168.1.0 0.255.255.255 any

ip nat inside source list 101 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

line con 0

 exec-timeout 0 0

 transport input none

 stopbits 1

line vty 0 4

login

scheduler max-task-time 5000

end

Small Office/Telecommuter with Business-Class Security

Figure 2-3 shows how the Cisco 806 router can be used to provide business-class security to a small office or to a telecommuter. Besides configuring the security features described in the "Small Office/Telecommuter with Basic Security" section, the network administrator has configured the router to inspect the application-layer protocols of the packets that arrive. The Cisco 806 router is connected either to a DSL modem or to a cable modem in this configuration. The router uses PPPoE and private addressing provided by NAT.

Figure 2-3 Business Class Security Configuration

This section includes the following topics:

•Configuring the IP Parameters

•Configuring DHCP

•Configuring a Set of Inspection Rules

•Configuring a VPDN

•Configuring the Ethernet Interfaces

•Configuring the Dialer Interface

•Configuring the Access List

•Configuration Example

To configure additional features for this network, see "Feature-by-Feature Router Configurations."

Configuring the IP Parameters

Perform the following tasks to configure the IP parameters, starting in global configuration mode.


	Command	Task
Step 1	ip subnet-zero	Configure the router to recognize the zero subnet range as the valid range of addresses.
Step 2	no ip finger	Block incoming IP finger packets.
Step 3	no ip domain-lookup	Disable the router from interpreting unfamiliar words (typographical errors) entered during a console session as host names.
Step 4	ip classless	Follow classless routing forwarding rules.

Configuring DHCP

Perform the following tasks to configure DHCP, starting in global configuration mode.


	Command	Task
Step 1	ip dhcp excluded-address low-ip-address high-ip-address	Prevent DHCP from assigning one or more IP addresses.
Step 2	ip dhcp pool name	Enter DHCP configuration mode, and create a pool of IP addresses that can be assigned to DHCP clients.
Step 3	network address subnet-mask	Specify a range of IP addresses that can be assigned to the DHCP clients.
Step 4	default-router ip-address	Specify the default router.
Step 5	dns-server ip-address	Specify the DNS server.

Configuring a Set of Inspection Rules

Specify which protocols to examine by using the ip inspect name command. For each protocol you want to inspect, enter a line in global configuration mode, using the following syntax:

ip inspect name inspection-name protocol timeout seconds

Use the same inspection-name in multiple statements to group them into one set of rules that can be referenced elsewhere in the configuration.

Configuring a VPDN

Complete the following tasks to configure a VPDN, starting in global configuration mode.


	Command	Task
Step 1	vpdn enable	Enable VPDN.
Step 2	no vpdn logging	Disable VPDN logging.
Step 3	vpdn-group tag	Configure a VPDN group.
Step 4	request-dialin	Specify the dialing mode.
Step 5	protocol pppoe	Specify the tunneling protocol as PPPoE.
Step 6	end	Exit router configuration mode.

Configuring the Ethernet Interfaces

Configure the Ethernet interfaces by performing the following tasks, starting in global configuration mode.


	Command	Task
Step 1	interface ethernet 0	Configure the Ethernet 0 interface.
Step 2	ip address ip-address subnet-mask	Set the IP address and subnet mask for the Ethernet 0 interface.
Step 3	ip nat inside	Establish the Ethernet 0 interface as the inside interface.
Step 4	ip route-cache	Enable fast-switching cache for outgoing packets.
Step 5	ip tcp adjust-mss 1452	Set the maximum segment size (MSS) of TCP SYN packets. When this command is entered for Ethernet 0, it is automatically added to the Ethernet 1 interface configuration.
Step 6	exit	Exit Ethernet 0 interface configuration.
Step 7	interface ethernet 1	Configure the Ethernet 1 interface.
Step 8	no ip address	Disable IP addressing for the Ethernet 1 interface.
Step 9	pppoe enable	Enable PPPoE as protocol.
Step 10	pppoe-client dial-pool-number 1	Create the PPPoE dial pool.
Step 11	end	Exit router configuration.

Configuring the Dialer Interface

Complete the following tasks to configure the dialer interface, starting in global configuration mode.


	Command	Task
Step 1	ip route default-gateway-ip-address mask dialer 0	For the Dialer 0 interface, set the IP route for the default gateway.
Step 2	interface dialer 0	Enter Dialer 0 interface configuration.
Step 3	ip address ip-address subnet-mask	Specify the IP address and subnet mask for the Dialer 0 interface.
Step 4	ip mtu 1492	Set the size of the IP maximum transmission unit (MTU).
Step 5	ip nat outside	Establish the Dialer 0 interface as the outside interface.
Step 6	encapsulation ppp	Set the encapsulation type to PPP.
Step 7	dialer pool 1	Specify the dialer pool to be used.
Step 8	dialer-group 1	Assign this interface to a dialer list.
Step 9	ppp authentication chap	Set the PPP authentication method to Challenge Handshake Authentication Protocol (CHAP).
Step 10	ip access-group tag in	Specify an access list to apply to inbound packets.
Step 11	ip inspect name in	Specify the set of inspection criteria to apply to inbound packets.
Step 12	ip route-cache	Enable fast-switching cache for outgoing packets.
Step 13	exit	Exit Dialer 0 interface configuration.

Configuring the Access List

The following configuration steps will configure a firewall that will allow TCP sessions originating from the local area network (LAN), but will block all TCP sessions that originate on the wide area network (WAN).

Complete the following tasks, starting in global configuration mode.


	Command	Task
Step 1	ip nat inside source list tag interface dialer 0 overload	Configure the NAT parameters for the Dialer 0 interface.
Step 2	access-list tag deny ip host 255.255.255.255 any	Configure an access list that blocks all traffic originating outside the firewall.
Step 3	access-list tag deny ip ip-address 0.0.0.255 any	Configure an access list that prevents spoofing.
Step 4	access-list tag permit icmp any any message-type	Allow Internet Control Message Protocol (ICMP) messages of the specified type to be exchanged.

Configuration Example

The Dialer 0 interface is the WAN interface. Therefore, all access lists and inspect lists are applied to that interface. The firewall configured in this example will allow TCP and User Datagram Protocol (UDP) connections that originate inside the firewall. However, any connection that originates outside the firewall would be blocked, except for certain types of ICMP packets.

You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.

version 12.2

no service single-slot-reload-enable

no service pad (default)

service timestamps debug uptime (default)

service timestamps log uptime (default)

no service password-encryption (default)

hostname router1

no logging buffered

logging rate-limit console 10 except errors

ip subnet-zero

no ip finger

no ip domain-lookup

ip dhcp excluded-address 192.168.1.1

dhcp pool PrivateNet

 network 192.168.1.0 255.255.255.0

 default-router 192.168.1.1

 dns-server 140.10.10.1

ip inspect name myfw tcp alert on

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw http timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

vpdn enable

vpdn-group 1

 request-dialin

  protocol pppoe

interface Ethernet0

 ip address 192.168.1.1 255.255.255.0

 ip tcp adjust-mss 1452 (required for router to reach all websites)

 ip nat inside

 ip route-cache

interface Ethernet1

 no ip address

 ip tcp adjust-mss 1452

 pppoe enable

 pppoe-client dial-pool-number 1

interface Dialer0

 ip address 140.10.10.5 255.255.255.0

 ip nat outside

 ip inspect myfw out

 ip access-group 105 in

 ip mtu 1492

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 ppp authentication chap

ip classless

!for blocking all traffic originating from outside premises

access-list 105 deny ip host 255.255.255.255 any

!Done for antispoofing

access-list 105 deny ip 192.168.1.0 0.0.0.255 any

!done to permit administrative ICMP messages

access-list 105 permit icmp any any echo-reply

access-list 105 permit icmp any any time-exceeded

access-list 105 permit icmp any any packet-too-big

access-list 105 permit icmp any any traceroute

access-list 105 permit icmp any any unreachable

! ACL For Nat

access-list 101 permit ip 192.168.1.0 0.255.255.255 any

ip nat inside source list 101 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

line con 0

 exec-timeout 0 0

 transport input none

 stopbits 1

line vty 0 4

login

scheduler max-task-time 5000

end

Small Office/Telecommuter with Business-Class Security and Enterprise Applications

This scenario includes the business-class security features described in Small Office/Telecommuter with Business-Class Security, and includes support for enterprise applications such as NetMeeting. It also supports multicasting, which enables users at the premises to share a single data stream to the Cisco 806 router for things like video-on-demand presentations and video conferencing, thus conserving network bandwidth.

Figure 2-4 shows three branch offices linked to a headquarters office using xDSL modems or cable modems that connect to an ISP.

Figure 2-4 Business-Class Security and Enterprise Applications Configuration

This section includes the following topics:

•Configuring the IP Parameters

•Configuring Multicast Routing

•Configuring DHCP

•Configuring a Set of Inspection Rules

•Configuring a VPDN

•Configuring the Ethernet Interfaces

•Configuring the Dialer Interface

•Configuring the Access List

•Configuration Example

To configure additional features for this network, see "Feature-by-Feature Router Configurations."

Configuring the IP Parameters

Perform the following tasks to configure the IP parameters, starting in global configuration mode.


	Command	Task
Step 1	ip subnet-zero	Configure the router to recognize the zero subnet range as the valid range of addresses.
Step 2	no ip finger	Block incoming IP finger packets.
Step 3	no ip domain-lookup	Disable the router from interpreting unfamiliar words (typographical errors) entered during a console session as host names.
Step 4	ip classless	Follow classless routing forwarding rules.

Configuring Multicast Routing

Configure multicast routing by completing the following tasks, starting in global configuration mode.


	Command	Task
Step 1	ip multicast-routing	Enable IP multicast forwarding.
Step 2	ip pim rp-address address	Configure the Protocol Independent Multicasting (PIM) Rendezvous Point (RP) address.

Configuring DHCP

Configure DHCP by completing the following tasks, starting in global configuration mode.


	Command	Task
Step 1	ip dhcp excluded-address low-ip-address high-ip-address	Prevent DHCP from assigning one or more IP addresses.
Step 2	ip dhcp pool name	Enter DHCP configuration mode, and create a pool of IP addresses that can be assigned to DHCP clients.
Step 3	network address subnet-mask	Specify a range of IP addresses that can be assigned to the DHCP clients.
Step 4	default-router ip-address	Specify the default router.
Step 5	dns-server ip-address	Specify the DNS server.

Configuring a Set of Inspection Rules

Specify which protocols to examine by using the ip inspect name command. For each protocol you want to inspect, enter a line in global configuration mode, using the following syntax:

ip inspect name inspection-name protocol timeout seconds

Use the same inspection-name in multiple statements to group them into one set of rules that can be referenced elsewhere in the configuration.

Configuring a VPDN

Complete the following tasks to configure a VPDN, starting in global configuration mode.


	Command	Task
Step 1	vpdn enable	Enable VPDN.
Step 2	no vpdn logging	Disable VPDN logging.
Step 3	vpdn-group tag	Configure a VPDN group.
Step 4	request-dialin	Specify the dialing mode.
Step 5	protocol pppoe	Specify the tunneling protocol as PPPoE.
Step 6	end	Exit router configuration mode.

Configuring the Ethernet Interfaces

Configure the Ethernet interfaces by performing the following tasks, starting in global configuration mode.


	Command	Task
Step 1	interface ethernet 0	Configure the Ethernet 0 interface.
Step 2	ip address ip-address subnet-mask	Set the IP address and subnet mask for the Ethernet 0 interface.
Step 3	ip nat inside	Establish the Ethernet 0 interface as the inside interface.
Step 4	ip pim sparse-mode	Enable PIM sparse-mode operation.
Step 5	ip route-cache	Enable fast-switching cache for outgoing packets.
Step 6	ip tcp adjust-mss 1452	Set the maximum segment size (MSS) of TCP SYN packets. When this command is entered for Ethernet 0, it is automatically added to the Ethernet 1 interface configuration.
Step 7	exit	Exit Ethernet 0 interface configuration.
Step 8	interface ethernet 1	Configure the Ethernet 1 interface.
Step 9	no ip address	Disable IP addressing for the Ethernet 1 interface.
Step 10	pppoe enable	Enable PPPoE as the protocol.
Step 11	pppoe-client dial-pool-number tag	Create a PPPoE dial pool.
Step 12	end	Exit router configuration.

Configuring the Dialer Interface

Complete the following tasks to configure the dialer interface, starting in global configuration mode.


	Command	Task
Step 1	ip route default-gateway-ip-address mask dialer 0	For the Dialer 0 interface, set the IP route for the default gateway.
Step 2	interface dialer 0	Enter Dialer 0 interface configuration.
Step 3	ip address negotiated	Specify that the IP address is to be negotiated over PPP.
Step 4	ip mtu 1492	Set the size of the IP maximum transmission unit (MTU).
Step 5	ip nat outside	Establish the Dialer 0 interface as the outside interface.
Step 6	encapsulation ppp	Set the encapsulation type to PPP.
Step 7	dialer pool 1	Specify the dialer pool to be used.
Step 8	dialer-group 1	Assign this interface to a dialer list.
Step 9	ppp authentication chap	Set the PPP authentication method to Challenge Handshake Authentication Protocol (CHAP).
Step 10	ip access-group tag in	Specify a configured access list to apply to inbound packets.
Step 11	ip inspect name in	Specify the set of inspection criteria to apply to inbound packets.
Step 12	ip pim sparse-mode	Enable PIM sparse-mode operation.
Step 13	ip route-cache	Enable fast-switching cache for outgoing packets.
Step 14	exit	Exit Dialer 0 interface configuration.

Configuring the Access List

Complete the following configuration steps to configure a firewall that will allow TCP sessions originating from the local area network (LAN), but will block all TCP sessions that originate on the wide area network (WAN).

Complete the following tasks, starting in global configuration mode.


	Command	Task
Step 1	ip nat inside source list tag interface dialer 0 overload	Configure the NAT parameters for the Dialer 0 interface.
Step 2	access-list tag deny ip host 255.255.255.255 any	Configure an access list that blocks all traffic originating outside the firewall.
Step 3	access-list tag deny ip ip-address 0.0.0.255 any	Configure an access list that prevents spoofing.
Step 4	access-list tag permit icmp any any message-type	Allow Internet Control Message Protocol (ICMP) messages of the specified type to be exchanged.

Configuration Example

The configuration example that follows shows configurations for DHCP, VPDN, PPPoE, IP multicasting, and firewalls. The firewalls configured in this example will allow TCP and UDP connections that originate from the premises. However, any connection that originates outside the firewall would be blocked. Access list configurations will allow TCP applications such as FTP, Telnet, and HTTP, while blocking raw IP packets.

You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.

Note Multicasting is configured in PIM sparse mode. The user must change the IP address of the RP server manually.

version 12.2

no service single-slot-reload-enable

no service pad (default)

service timestamps debug uptime (default)

service timestamps log uptime (default)

no service password-encryption (default)

hostname router1

no logging buffered

logging rate-limit console 10 except errors

ip subnet-zero

no ip finger

no ip domain-lookup

ip dhcp excluded-address 192.168.1.1

dhcp pool PrivateNet

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 140.10.10.1

!Multicast Protocol - PIM

ip multicast-routing

ip pim rp-address 192.168.20.3

ip inspect name myfirewall tcp alert on

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw http timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

no ip dhcp-client network-discovery

vpdn enable

vpdn-group 1

 request-dialin

  protocol pppoe

interface Ethernet0

 ip address 192.168.1.1 255.255.255.0

 ip pim sparse-mode

 ip tcp adjust-mss 1452 (required for router to reach all websites)

 ip nat inside

interface Ethernet1

 no ip address

 ip tcp adjust-mss 1452

 pppoe enable

 pppoe-client dial-pool-number 1

interface Dialer0

 ip address 140.10.10.5 255.255.255.0

 ip pim sparse-mode

 ip access-group 102 out

 ip nat outside

 ip inspect myfw out

 ip access-group 105 in

 ip mtu 1492

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 ppp authentication chap

 ip route-cache

ip classless

!for blocking all traffic originating from outside premises

access-list 105 deny ip host 255.255.255.255 any

!Done for antispoofing

access-list 105 deny ip 192.168.1.0 0.0.0.255 any

!done to permit administrative ICMP messages

access-list 105 permit icmp any any echo-reply

access-list 105 permit icmp any any time-exceeded

access-list 105 permit icmp any any packet-too-big

access-list 105 permit icmp any any traceroute

access-list 105 permit icmp any any unreachable

! ACL For Nat

access-list 101 permit ip 192.168.1.0 0.255.255.255 any

ip nat inside source list 101 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

line con 0

 exec-timeout 0 0

 transport input none

 stopbits 1

line vty 0 4

login

scheduler max-task-time 5000

end

Ethernet Gateway

The configuration for this scenario is identical to the configuration described in the "Small Office/Telecommuter with Business-Class Security and Enterprise Applications" section. In this case, however, the Cisco 806 router connects to a long-reach Ethernet (LRE) modem or to an Ethernet switch, as shown in Figure 2-5. Remote offices and telecommuters can be carried by a metropolitan area network (MAN), or an ISPs network.

Figure 2-5 Ethernet Gateway Configuration

See the "Small Office/Telecommuter with Business-Class Security and Enterprise Applications" section for configuration instructions and a configuration example.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

Cisco 806 Router Software Configuration Guide

Results

Chapter: Network Scenarios

Network Scenarios

Virtual Private Network

Configuring Internet Protocol Parameters

Configuring an Access List

Configuring IPSec

Configuring a Generic Routing Encapsulation Tunnel Interface

Configuring the Ethernet Interfaces

Configuring Static Routes

Configuration Example

Small Office/Telecommuter with Basic Security

Configuring the IP Parameters

Configuring Dynamic Host Configuration Protocol Parameters

Configuring a Virtual Private Dial-Up Network

Configuring the Ethernet Interfaces

Configuring the Dialer Interface

Configuring the Access List

Configuration Example

Small Office/Telecommuter with Business-Class Security

Configuring the IP Parameters

Configuring DHCP

Configuring a Set of Inspection Rules

Configuring a VPDN

Configuring the Ethernet Interfaces

Configuring the Dialer Interface

Configuring the Access List

Configuration Example

Small Office/Telecommuter with Business-Class Security and Enterprise Applications

Configuring the IP Parameters

Configuring Multicast Routing

Configuring DHCP

Configuring a Set of Inspection Rules

Configuring a VPDN

Configuring the Ethernet Interfaces

Configuring the Dialer Interface

Configuring the Access List

Configuration Example

Ethernet Gateway

Was this Document Helpful?

Contact Cisco

Related Cisco Community Discussions