Help setting up a Cisco 871 Router for Home...

Answered Question
Mar 29th, 2013
User Badges:

871

Correct Answer by kmccourt about 3 years 11 months ago

Try adding:


ip route 0.0.0.0 0.0.0.0 192.168.1.1


If this doesn't work please post the output of:


sh ip route

Correct Answer by blau grana about 3 years 12 months ago

Hello Andrew,


Alain provided you entire configuration of what you requested, but I think that you also need to configure NAT to be able to access internet from LAN PCs.

Reason for this is that you obtain WAN IP address and default route from ISP, for example:


IP: 10.0.0.1

Mask: 255.255.255.0

Gateway: 10.0.0.254


But your ISP assume that you have connect only one PC, so only 10.0.0.1 IP address will have acces to internet. ISP will drop all traffic from 192.168.10.0/24 and 192.168.20.0/24 because these networks are unknow for ISP. So you need to NAT your internal networks to your WAN IP 10.0.0.1.


Here is configuration:


ip access-list extended NAT_ACL

deny   ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any

route-map NAT_MAP

match ip address NAT_ACL

ip nat inside source route-map NAT_MAP interface FastEthernet4 overload

interface Vlan10

ip nat inside

interface Vlan20

ip nat inside

interface FastEthernet4

ip nat outside


Last thing, it is not necessary, but maybe you would like to restrict users from Guest VLAN to access your internal network:


ip access-list extended Restrict_GUESTS

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any


interface Vlan20

  ip access-group Restrict_GUESTS in


Best Regards

Please rate all helpful posts and close solved questions

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
cadet alain Fri, 03/29/2013 - 11:05
User Badges:
  • Purple, 4500 points or more

Hi,


1)

config t

vlan 10

name Staff

vlan 20

name Guest


2)

  config t

  int vlan 10

  ip address 192.168.10.254 255.255.255.0

  int vlan 20 

  ip address 192.168.20.254 255.255.255.0


no ip dhcp conflict-logging

ip dhcp excluded-address 192.168.10.201 192.168.10.254

ip dhcp excluded-address 192.168.20.201 192.168.20.254

ip dhcp excluded-address 192.168.10.1 192.168.10.99

ip dhcp excluded-address 192.168.20.1 192.168.20.99

ip dhcp pool vlan10-pool

network 192.168.10.0 /24

default-router 192.168.10.254

dns-server 8.8.8.8

ip dhcp pool vlan20-pool

network 192.168.20.0 /24

default-router 192.168.20.254

dns-server 8.8.8.8


3)

config t

int fa4

ip address dhcp

4)

   config t

   int fa0

   switchport mode access

   switchport access vlan 20

   int fa1

   switchport mode access

   switchport access vlan 10

   int fa2

   switchport mode access

   switchport access vlan 10

   int fa3

   switchport mode access

   switchport access vlan 10



Regards


Alain



Don't forget to rate helpful posts.

Correct Answer
blau grana Fri, 03/29/2013 - 13:08
User Badges:
  • Gold, 750 points or more

Hello Andrew,


Alain provided you entire configuration of what you requested, but I think that you also need to configure NAT to be able to access internet from LAN PCs.

Reason for this is that you obtain WAN IP address and default route from ISP, for example:


IP: 10.0.0.1

Mask: 255.255.255.0

Gateway: 10.0.0.254


But your ISP assume that you have connect only one PC, so only 10.0.0.1 IP address will have acces to internet. ISP will drop all traffic from 192.168.10.0/24 and 192.168.20.0/24 because these networks are unknow for ISP. So you need to NAT your internal networks to your WAN IP 10.0.0.1.


Here is configuration:


ip access-list extended NAT_ACL

deny   ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any

route-map NAT_MAP

match ip address NAT_ACL

ip nat inside source route-map NAT_MAP interface FastEthernet4 overload

interface Vlan10

ip nat inside

interface Vlan20

ip nat inside

interface FastEthernet4

ip nat outside


Last thing, it is not necessary, but maybe you would like to restrict users from Guest VLAN to access your internal network:


ip access-list extended Restrict_GUESTS

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any


interface Vlan20

  ip access-group Restrict_GUESTS in


Best Regards

Please rate all helpful posts and close solved questions

andrewyoon33 Fri, 03/29/2013 - 15:37
User Badges:

Didnt work...  Couldnt get to the internet or ping 8.8.8.8


My current setup for this would be:


I have my Cisco 871 connected to the LAN port off the Verizon Router... (Verion Router IP: 192.168.1.1)

The IP Address I am using on the Cisco WAN fa4 port is 192.168.1.2 /24, My machine wont reach out to the internet from the computer...DHCP is working fine and I can get an IP of 192.168.10.x or 192.168.20.x also able to ping the interface 192.168.10.x or 192.168.20.x 


Still confused on why I cant reach out to the internet...


Below is my current config:

Building configuration...



Current configuration : 4260 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname P1-Router

!

boot-start-marker

boot-end-marker

!

enable secret 5

enable password 7

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-

!

!

crypto pki certificate chain TP-self-signed-

        quit

dot11 syslog

ip cef

!

!

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.10.1 192.168.10.99

ip dhcp excluded-address 192.168.20.1 192.168.20.99

!

ip dhcp pool vlan10-pool

   network 192.168.10.0 255.255.255.0

   default-router 192.168.10.1

   dns-server 192.168.1.1 8.8.8.8

!

ip dhcp pool vlan20-pool

   network 192.168.20.0 255.255.255.0

   default-router 192.168.20.1

   dns-server 192.168.1.1 8.8.8.8

!

!

no ip domain lookup

ip domain name P1.COM

ip inspect name MYFW tcp

ip inspect name MYFW udp

!

multilink bundle-name authenticated

!

!

username admin privilege 15 password

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface FastEthernet0

switchport access vlan 10

!

interface FastEthernet1

switchport access vlan 10

!

interface FastEthernet2

switchport access vlan 20

!

interface FastEthernet3

switchport access vlan 20

!

interface FastEthernet4

ip address 192.168.1.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.2.1 255.255.255.0

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

ip access-group Restrict_GUESTS in

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

!

!

ip http server

ip http secure-server

ip nat inside source route-map NAT_MAP interface FastEthernet4 overload

!

ip access-list extended NAT-ACL

deny   ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any

ip access-list extended Restrict_GUESTS

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any

!

!

!

!

route-map NAT_MAP permit 10

match ip address NAT-ACL

!

!

control-plane

!

!

line con 0

password 7

no modem enable

line aux 0

line vty 0 4

password 7

!

scheduler max-task-time 5000

end

blau grana Sat, 03/30/2013 - 02:46
User Badges:
  • Gold, 750 points or more

Hello Andrew,


Can you provide output of #tracert 8.8.8.8, can you also provide output of ping and traceroute 8.8.8.8 from router?


Configuration seems OK.


Best Regards

Please rate all helpful posts and close solved questions

Correct Answer
kmccourt Sun, 03/31/2013 - 02:49
User Badges:
  • Bronze, 100 points or more

Try adding:


ip route 0.0.0.0 0.0.0.0 192.168.1.1


If this doesn't work please post the output of:


sh ip route

jawad-mukhtar Sun, 03/31/2013 - 04:30
User Badges:
  • Silver, 250 points or more

I think so DNS and WAN Ips are not corect.



Can you provide me detials how you are connected to ISP.


Router > ISP (if i am correct)


If you are connecte like above scenerio verify from ISP what DNS and WAN IP you will use..

luckystarr2 Tue, 10/07/2014 - 00:19
User Badges:

Hello!
For waht do you need this line?

deny   ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

it almost work, i could ping 8.8.8.8 from the router, but internet doesn't work anyway on my laptop

Roberto Soto Mon, 10/07/2013 - 05:39
User Badges:

Hello, thanks for all this useful information. My plan is to get rid of my BT home router, but I have a few questions:

if you dont mind:



1. How do you go about setting up the wireless ssids etc on same router? If you could point me on the right direction? I understand the logic of all these commands and the logic on why you did the subnetting between 192.168.10.254 and 192.168.20.254, but Im quite lost in regards wireless settings. 


2. How do you go about firewalling this router? Because at the moment, I have a BT home router who does basic firewal function?


Many thanks in advance, and thanks everyone on this post; there is lot of useful information in here.


Regards,

cadet alain Mon, 10/07/2013 - 06:18
User Badges:
  • Purple, 4500 points or more

Hi,

For Firewalling you can use CBAC or Zone Based Firewall, here are some docs about these:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html


For Wireless it all depends on the router model.


Regards


Alain




Don't forget to rate helpful posts.

blau grana Mon, 10/07/2013 - 06:24
User Badges:
  • Gold, 750 points or more

Hello Roberto,

Here are links to configure wifi on 871:

- https://supportforums.cisco.com/docs/DOC-16020

- http://www.piglet-net.net/tech/cisco/cisco-871W-simple.html

Zone-Based Policy Firewall

- http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Hope this helps you.


Best Regards

Please rate all helpful posts and close solved questions

Actions

This Discussion

Related Content