Basic configuration of the Cisco router. Access to the Internet.
Let’s see how to connect an office to the Internet using a Cisco router.
Let’s take Cisco 881 for example. Commands for configuration of other routers (1841, 2800, 3825…) will be the same. They may differ only in configuration of interfaces, i.e. their names and numbers.
The scheme includes
- an Internet connection with a static address
- several PCs in the office local network
- a router
- a switch for creating an office local network
Task: provide access for LAN computers to the Internet
Step 0. Clearing the configuration
The first thing to do when configuring a new router is to completely clear the startup configuration.
(Do it only on new or test devices!)
To do that, connect via a special console cable to the router console port, enter the command line and do the following:
Enter the privileged mode(#), you may need to enter a login name/password for that.
Erase the startup configuration
router# write erase
Reload the router
The router will reboot within 3 minutes and initial configuration dialog will appear. Type “no” and move to next step.
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets ''.
Would you like to enter the initial configuration dialog? [yes/no]:
The current router configuration will have only default technological lines, and you can start the main configuration.
Step 1. Device name
Use the hostname «device name» command to set a router name. It will help you in future.
router (config)#hostname R-DELTACONFIG
Step 2. Configuration of interfaces
We should configure two interfaces: external and internal ones.
The external interface will be used for connecting to the Internet. It will have the IP address and network mask provided by the ISP.
The internal interface will be configured for the local network 192.168.0.0 /24
For example, the ISP has provided us with the following addresses:
- Network 188.8.131.52
- Subnet mask 255.255.255.252 or /30
- Default gateway 184.108.40.206
Let’s configure the external interface: set an IP address and a network mask and enable it using the no shut command
interface Fa 4
ip address 220.127.116.11 255.255.255.252
Then, connect this router interface to the port of the provider’s equipment using a direct patch cord and check its availability with the ping command.
At first, the own interface
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 18.104.22.168, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Then, the adjacent address – a provider’s gateway
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.214.171.124, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/4/10 ms
After making sure that the provider’s gateway is available, we should configure the internal interface.
The local network will have the following addresses:
- Network 192.168.0.0
- Subnet mask 255.255.255.0
- Internal router address acting as an Internet gateway for all network hosts, 192.168.0.1
- I recommend starting the range of internal network addresses (users, printers, servers, etc.) with 192.168.0.5
- The max available address in this network is 192.168.0.254
- Let’s reserve addresses from 192.168.0.2 to 192.168.0.4 for emergency technological needs
To configure the internal interface of the local network, enter the Vlan 1 configuration mode, set an IP address and link it with one of the router’s physical interfaces (Fa 0).
interface Vlan 1
Ip address 192.168.0.1 255.255.255.0
Choose a physical router interface and link it with the virtual Vlan.
interface Fa 0
switchport access vlan 1
This could help for better understanding:
ip address => interface Vlan X => interface Fastethernet Y
The IP address is assigned to the Vlan X virtual interface, which is linked with the Fastethernet Y physical interface.
Connect the Fa 0 router interface to the switch with the working stations of the local network or directly with the administrator’s working station.
Then, check the availability of this router interface using the ping command from the command line.
Step 3. Configuration of the remote router access
You can access the router console not only using a console cable, but also remotely using the Telnet (data is transferred unsecure) and SSH (secure connection).
Let’s see how to configure the secure connection.
Enable the SSH version 2 protocol and set any domain name.
ip ssh ver 2
ip domain-name xxx.com
Generate the rsa keys required for connection. Enter 1024 at the request.
crypto key generate rsa
How many bits in the modulus : 1024
Set a user name with administrator rights and the password (*****)
username admin privilege 15 secret 0 *****
Enable authorization through the device local base (the user you have created a line before).
line vty 0 4
Set a password for the privileged mode.
enable secret 0 *****
Then, using a special program supporting the SSH protocol, you can remotely enter the router console from any working station of the local network. For authorization, enter the login name and password set earlier.
You can learn more about access to the device using the SSH protocol in this article.
Step 4. Default gateway
For routing of packages to the Internet, we should define a default gateway of the device.
ip route 0.0.0.0 0.0.0.0 126.96.36.199
After that, you can check not only availability of provider’s equipment, but of the whole Internet connection.
For that, launch ping to any address in the external network in digital format (I recommend configuring DNS for the local network after configuration of the router).
Let’s take the google’s address (188.8.131.52) for example.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 184.108.40.206, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/10 ms
Please, note that currently ping of external addresses works only (!) when launched from the management console by the router. Working stations of the local network do not have Internet access.
Step 5. Configuration of network address translation (NAT)
For Internet access from the local network, we should dynamically translate all internal addresses to a certain external IP address.
In our case, as the ISP gives us only with one external address 220.127.116.11 (defined by the /30 subnet mask as given in the example above), all local network addresses should be translated to it.
Define a list of internal addresses for translation to the external address.
ip access-list standard ACL_NAT
permit 192.168.0.0 0.0.0.255
Define the internal interface for translation.
Interface Vlan 1
ip nat inside
Define the external interface for translation.
Interface Fa 4
ip nat outside
Create the network address translation (NAT) rule.
ip nat inside source list ACL_NAT interface fa4
As a result, you should have Internet access from any workstation of the local network if their default gateway is the internal IP address of the router (192.168.0.1).
You can check this using the ping command to an Internet address from the command line. The address should be better in digital format to avoid potential problems with DNS names (Use 18.104.22.168 to check the connection).
Do not allow full Internet access from all local network addresses. After checking the connection, I recommend limiting the Internet access only to certain addresses – for example, a proxy server and working stations of the administrator/director.
You can learn more about how to do it in the article “a little about access lists”.
Don’t forget to save the changes you made to the configuration with the write or copy run start commands. Otherwise you will lose all changes after the next reload.
This article was written by Alexey Yurchenko