In this example, the router will use NAT to forward SMTP e-mail messages using port 25, secure and nonsecure web server requests using ports 80 and 443, as well as Microsoft Remote Web Workplace requests using port 4125 to a Microsoft server on your private network. This configuration also supports Microsoft PPTP connections to that server using port 1723 in conjunction with Cisco’s Generic Routing Encapsulation (GRE) protocol. This is a basic Cisco router configuration that will support a network with a Wndows Small Business Server.
Standard Setup
The standard setup contains the commands used to disable logging to your console, disable the Cisco Discovery Protocol (CDP), and set your router’s hostname and your company’s domain name. Implement the standard setup as follows:
Router> ena
Router# config t
Router(config)# no logging console ! Suppress console messages
Router(config)# no cdp run ! Disable Cisco discovery protocol
Router(config)# hostname lab-r1
lab-r1(config)# ip domain-name test.net ! Your domain nameLAN Interface:
Use the following commands to set a static IP address on your LAN interface and to secure your router by disabling some Cisco default features:
lab-r1(config)# int vlan1
lab-r1(config-if)# descr LAN switch ports on inside interface
lab-r1(config-if)# ip address 192.168.1.1 255.255.255.0 ! Private IP address
lab-r1(config-if)# no ip unreachables
lab-r1(config-if)# no ip redirects
lab-r1(config-if)# no ip proxy-arp
lab-r1(config-if)# ip virtual-reassembly
lab-r1(config-if)# no shutWAN Interface
The following example supplies all of the commands to configure your router’s WAN interface using a static IP address. It shows how to set the default gateway to your ISP and configure your router to use your ISP’s domain name servers to resolve Internet names to addresses.
ab-r1(config-if)# int fa4
lab-r1(config-if)# descr WAN interface to ISP using a STATIC IP
lab-r1(config-if)# ip address 66.238.5.254 255.25.255.0 ! Static IP from your ISP
lab-r1(config-if)# duplex auto
lab-r1(config-if)# speed auto
lab-r1(config-if)# no ip unreachables
lab-r1(config-if)# no ip redirects
lab-r1(config-if)# no ip proxy-arp
lab-r1(config-if)# ip virtual-reassembly
lab-r1(config-if)# no shut
lab-r1(config-if)# exit
lab-r1(config)# ip route 0.0.0.0 0.0.0.0 66.238.5.1 ! Provided by ISP (Gateway)
lab-r1(config)# ip name-server 66.238.5.2 66.238.5.3 ! Provided by ISPRouter Passwords
Use the following example to set the Cisco passwords for privileged EXEC mode and a local user on the router named “Admin” who is granted privileged EXEC mode upon logging in
lab-r1(config)# enable secret MyPass ! Privileged EXEC mode password
lab-r1(config)# user Admin privilege 15 secret MyPass ! Telnet user name and pass
lab-r1(config)# line vty 0 4 ! Telnet virtual terminal
lab-r1(config-line)# login localNAT Setup
The following commands show how to configure an ACL for NAT that permits all private hosts access to the Internet. It also configures port forwarding for
- SMTP (25),
- HTTP (80),
- HTTPS (443),
- Remote Web Workplace (4125),
- PPTP (1723).
lab-r1(config)# ip access-list extended NAT-ACL
lab-r1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any ! All local hosts
lab-r1(config-ext-nacl)# exit
lab-r1(config)# ip nat inside source list NAT-ACL interface fa4 overload
lab-r1(config)# ip nat inside source static tcp 192.168.1.2 25 int fa4 25
lab-r1(config)# ip nat inside source static tcp 192.168.1.2 80 int fa4 80
lab-r1(config)# ip nat inside source static tcp 192.168.1.2 443 int fa4 443
lab-r1(config)# ip nat inside source static tcp 192.168.1.2 4125 int fa4 4125
lab-r1(config)# ip nat inside source static tcp 192.168.1.2 1723 int fa4 1723
lab-r1(config)# int vlan1 ! Your LAN switch port
lab-r1(config-if)# ip nat inside
lab-r1(config-if)# int fa4 ! Your WAN port
lab-r1(config-if)# ip nat outside
lab-r1(config-if)# exitCBAC Firewall
Use the following commands to configure the Cisco CBAC firewall and the Cisco EIE.
lab-r1(config)# ip inspect name IPFW tcp
lab-r1(config)# ip inspect name IPFW udp
lab-r1(config)# ip inspect name IPFW cuseeme
lab-r1(config)# ip inspect name IPFW ftp
lab-r1(config)# ip inspect name IPFW tftp
lab-r1(config)# ip inspect name IPFW rcmd
lab-r1(config)# ip inspect name IPFW realaudio
lab-r1(config)# ip inspect name IPFW smtp
lab-r1(config)# ip inspect name IPFW h323
lab-r1(config)# ip inspect name IPFW sqlnet
lab-r1(config)# ip inspect name IPFW streamworks
lab-r1(config)# ip inspect name IPFW vdolive
lab-r1(config)# ip inspect name MAIL-FW smtp
lab-r1(config)# int fa4 ! Your WAN interface
lab-r1(config-if)# ip inspect IPFW out ! Apply CBAC to WAN interface out
lab-r1(config-if)# ip inspect MAIL-FW in ! Apply CBAC EIE to WAN interface in
lab-r1(config-if)# exitDHCP Server
If you do not have a DHCP server running on your network, you can use the following commands to configure one on your router:
lab-r1(config)# ip dhcp pool MYNET
lab-r1(dhcp-config)# network 192.168.1.0 255.255.255.0
lab-r1(dhcp-config)# domain-name geekvenue.net ! Your domain name
lab-r1(dhcp-config)# default-router 192.168.1.1 ! This router's address
lab-r1(dhcp-config)# dns-server 192.168.1.2 ! Your local DNS or ISPs
lab-r1(dhcp-config)# netbios-name-server 192.168.1.2 ! Your WINS (optional)
lab-r1(dhcp-config)# lease 0 2 ! 0 days & 2 hours
lab-r1(dhcp-config)# exit
lab-r1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.25 !Your static IPsIPFW Access List
Use the commands in the following example to set up an ACL that permits NAT to forward:
- SMTP (25),
- HTTP (80),
- HTTPS (443),
- Remote Web Workplace (4125),
- PPTP (1723).
This section also contains the rules to allow ping and traceroute replies.
lab-r1(config)# ip access-list extended IPFW-ACL ! Create a named ACL
!Allow Windows Small Business Server Services
lab-r1(config-ext-nacl)# permit tcp any host 66.238.5.254 eq smtp ! smtp
lab-r1(config-ext-nacl)# permit tcp any host 66.238.5.254 eq www ! http
lab-r1(config-ext-nacl)# permit tcp any host 66.238.5.254 eq 443 ! https
lab-r1(config-ext-nacl)# permit tcp any host 66.238.5.254 eq 4125 ! MS RWW
lab-r1(config-ext-nacl)# permit tcp any host 66.238.5.254 eq 1723 ! MS PPTP
! Allow Outbound Ping and Traceroute
lab-r1(config-ext-nacl)# permit icmp any any administratively-prohibited
lab-r1(config-ext-nacl)# permit icmp any any echo-reply
lab-r1(config-ext-nacl)# permit icmp any any packet-too-big
lab-r1(config-ext-nacl)# permit icmp any any time-exceeded
lab-r1(config-ext-nacl)# permit icmp any any traceroute
lab-r1(config-ext-nacl)# permit gre any any
lab-r1(config-ext-nacl)# deny ip any any log ! Deny and log ALL traffic
lab-r1(config-ext-nacl)# exit
lab-r1(config)# int fa4 ! WAN interface
lab-r1(config-if)# ip access-group IPFW-ACL in ! ACL on WAN interface
lab-r1(config-if)# exitVTY Access List
Following are the commands to secure your VTY lines with an ACL that only allows local hosts access to your router via the VTY line.
lab-r1(config)# ip access-list standard VTY-ACL
lab-r1(config-std-nacl)# permit 192.168.1.0 0.0.0.255 ! All local hosts
lab-r1(config-std-nacl)# exit
lab-r1(config)# line vty 0 4
lab-r1(config-line)# access-class VTY-ACL in
lab-r1(config-line)# login local
lab-r1(config-line)# transport input telnet ssh
lab-r1(config-line)# exitConfigure SSH (Version 2)
Following are the commands to secure your VTY lines with an ACL that only allows local hosts access to your router via the VTY line. This ACL is used to permit telnet and SSH connections to your router.
lab-r1(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
lab-r1(config)#Encrypt All Router Passwords
Issue the service password-encryption command to ensure that no clear-text passwords are stored in your router’s configuration file. For example:
lab-r1(config)# service password-encryption
lab-r1(config)# exitSave the Configuration
After configuring your router, use the following commands to save your configuration:
lab-r1# copy run start
Destination filename [startup-config]? {press ENTER}