cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19137
Views
15
Helpful
10
Replies

Help setting up a Cisco 871 Router for Home...

andrewyoon33
Level 1
Level 1
2 Accepted Solutions

Accepted Solutions

Hello Andrew,

Alain provided you entire configuration of what you requested, but I think that you also need to configure NAT to be able to access internet from LAN PCs.

Reason for this is that you obtain WAN IP address and default route from ISP, for example:

IP: 10.0.0.1

Mask: 255.255.255.0

Gateway: 10.0.0.254

But your ISP assume that you have connect only one PC, so only 10.0.0.1 IP address will have acces to internet. ISP will drop all traffic from 192.168.10.0/24 and 192.168.20.0/24 because these networks are unknow for ISP. So you need to NAT your internal networks to your WAN IP 10.0.0.1.

Here is configuration:

ip access-list extended NAT_ACL

deny   ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any

route-map NAT_MAP

match ip address NAT_ACL

ip nat inside source route-map NAT_MAP interface FastEthernet4 overload

interface Vlan10

ip nat inside

interface Vlan20

ip nat inside

interface FastEthernet4

ip nat outside

Last thing, it is not necessary, but maybe you would like to restrict users from Guest VLAN to access your internal network:

ip access-list extended Restrict_GUESTS

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any

interface Vlan20

  ip access-group Restrict_GUESTS in

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

View solution in original post

Try adding:

ip route 0.0.0.0 0.0.0.0 192.168.1.1

If this doesn't work please post the output of:

sh ip route

View solution in original post

10 Replies 10

cadet alain
VIP Alumni
VIP Alumni

Hi,

1)

config t

vlan 10

name Staff

vlan 20

name Guest

2)

  config t

  int vlan 10

  ip address 192.168.10.254 255.255.255.0

  int vlan 20 

  ip address 192.168.20.254 255.255.255.0

no ip dhcp conflict-logging

ip dhcp excluded-address 192.168.10.201 192.168.10.254

ip dhcp excluded-address 192.168.20.201 192.168.20.254

ip dhcp excluded-address 192.168.10.1 192.168.10.99

ip dhcp excluded-address 192.168.20.1 192.168.20.99

ip dhcp pool vlan10-pool

network 192.168.10.0 /24

default-router 192.168.10.254

dns-server 8.8.8.8

ip dhcp pool vlan20-pool

network 192.168.20.0 /24

default-router 192.168.20.254

dns-server 8.8.8.8

3)

config t

int fa4

ip address dhcp

4)

   config t

   int fa0

   switchport mode access

   switchport access vlan 20

   int fa1

   switchport mode access

   switchport access vlan 10

   int fa2

   switchport mode access

   switchport access vlan 10

   int fa3

   switchport mode access

   switchport access vlan 10

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hello Andrew,

Alain provided you entire configuration of what you requested, but I think that you also need to configure NAT to be able to access internet from LAN PCs.

Reason for this is that you obtain WAN IP address and default route from ISP, for example:

IP: 10.0.0.1

Mask: 255.255.255.0

Gateway: 10.0.0.254

But your ISP assume that you have connect only one PC, so only 10.0.0.1 IP address will have acces to internet. ISP will drop all traffic from 192.168.10.0/24 and 192.168.20.0/24 because these networks are unknow for ISP. So you need to NAT your internal networks to your WAN IP 10.0.0.1.

Here is configuration:

ip access-list extended NAT_ACL

deny   ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any

route-map NAT_MAP

match ip address NAT_ACL

ip nat inside source route-map NAT_MAP interface FastEthernet4 overload

interface Vlan10

ip nat inside

interface Vlan20

ip nat inside

interface FastEthernet4

ip nat outside

Last thing, it is not necessary, but maybe you would like to restrict users from Guest VLAN to access your internal network:

ip access-list extended Restrict_GUESTS

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any

interface Vlan20

  ip access-group Restrict_GUESTS in

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Didnt work...  Couldnt get to the internet or ping 8.8.8.8

My current setup for this would be:

I have my Cisco 871 connected to the LAN port off the Verizon Router... (Verion Router IP: 192.168.1.1)

The IP Address I am using on the Cisco WAN fa4 port is 192.168.1.2 /24, My machine wont reach out to the internet from the computer...DHCP is working fine and I can get an IP of 192.168.10.x or 192.168.20.x also able to ping the interface 192.168.10.x or 192.168.20.x 

Still confused on why I cant reach out to the internet...

Below is my current config:

Building configuration...

Current configuration : 4260 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname P1-Router

!

boot-start-marker

boot-end-marker

!

enable secret 5

enable password 7

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-

!

!

crypto pki certificate chain TP-self-signed-

        quit

dot11 syslog

ip cef

!

!

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.10.1 192.168.10.99

ip dhcp excluded-address 192.168.20.1 192.168.20.99

!

ip dhcp pool vlan10-pool

   network 192.168.10.0 255.255.255.0

   default-router 192.168.10.1

   dns-server 192.168.1.1 8.8.8.8

!

ip dhcp pool vlan20-pool

   network 192.168.20.0 255.255.255.0

   default-router 192.168.20.1

   dns-server 192.168.1.1 8.8.8.8

!

!

no ip domain lookup

ip domain name P1.COM

ip inspect name MYFW tcp

ip inspect name MYFW udp

!

multilink bundle-name authenticated

!

!

username admin privilege 15 password

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface FastEthernet0

switchport access vlan 10

!

interface FastEthernet1

switchport access vlan 10

!

interface FastEthernet2

switchport access vlan 20

!

interface FastEthernet3

switchport access vlan 20

!

interface FastEthernet4

ip address 192.168.1.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.2.1 255.255.255.0

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

ip access-group Restrict_GUESTS in

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

!

!

ip http server

ip http secure-server

ip nat inside source route-map NAT_MAP interface FastEthernet4 overload

!

ip access-list extended NAT-ACL

deny   ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any

ip access-list extended Restrict_GUESTS

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 any

deny   ip any any

!

!

!

!

route-map NAT_MAP permit 10

match ip address NAT-ACL

!

!

control-plane

!

!

line con 0

password 7

no modem enable

line aux 0

line vty 0 4

password 7

!

scheduler max-task-time 5000

end

Hello Andrew,

Can you provide output of #tracert 8.8.8.8, can you also provide output of ping and traceroute 8.8.8.8 from router?

Configuration seems OK.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Try adding:

ip route 0.0.0.0 0.0.0.0 192.168.1.1

If this doesn't work please post the output of:

sh ip route

I think so DNS and WAN Ips are not corect.

Can you provide me detials how you are connected to ISP.

Router > ISP (if i am correct)

If you are connecte like above scenerio verify from ISP what DNS and WAN IP you will use..

Jawad

Hello!
For waht do you need this line?

deny   ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

it almost work, i could ping 8.8.8.8 from the router, but internet doesn't work anyway on my laptop

Hello, thanks for all this useful information. My plan is to get rid of my BT home router, but I have a few questions:

if you dont mind:

1. How do you go about setting up the wireless ssids etc on same router? If you could point me on the right direction? I understand the logic of all these commands and the logic on why you did the subnetting between 192.168.10.254 and 192.168.20.254, but Im quite lost in regards wireless settings. 

2. How do you go about firewalling this router? Because at the moment, I have a BT home router who does basic firewal function?

Many thanks in advance, and thanks everyone on this post; there is lot of useful information in here.

Regards,

Hi,

For Firewalling you can use CBAC or Zone Based Firewall, here are some docs about these:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html

For Wireless it all depends on the router model.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hello Roberto,

Here are links to configure wifi on 871:

- https://supportforums.cisco.com/docs/DOC-16020

- http://www.piglet-net.net/tech/cisco/cisco-871W-simple.html

Zone-Based Policy Firewall

- http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Hope this helps you.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: