Académique Documents
Professionnel Documents
Culture Documents
Cisco 887VA
Configuration
(/index.php/10-cisco-
887va-configuration)
Category: myblog (/index.php) Published: Saturday, 26 December 2015 07:33
Written by Jiri Kanicky Hits: 6503
Print (/index.php/10-cisco-887va-configuration?
tmpl=component&print=1&layout=default&page=)
Email (/index.php/component/mailto/?
tmpl=component&template=shaper_radon&link=fdb97c4ccb12a93256f0cd36954e36dfe2d6aaf8)
en
conf t
erase nvram:
write default-config
reload
conf t
enable secret PASSWORD123
line vty 0 4
login local
exit
line console 0
login local
exit
username admin privilege 15 secret PASSWORD123
end
Set Hostname
conf t
hostname johny5
end
conf t
no ip domain-lookup
end
Set Aliases
conf t
alias exec s show ip int br
alias exec sr show run
end
conf t
line console 0
logging synchronous
exit
line vty 0 4
logging synchronous
end
conf t
clock timezone EST +10
clock summer-time DST recurring first Sunday October 02:00 f
irst Sunday April 03:00
clock set 02:56:59 3 January 2013
end
show clock
conf t
ntp server 1.au.pool.ntp.org
ntp server 0.au.pool.ntp.org
end
conf t
sntp server <ip_addresss>
end
SSH configuration
conf t
ip domain-name domain.tld
crypto key generate rsa modulus 1024
ip ssh version 2
end
conf t
interface Vlan 1
ip address 192.168.3.1 255.255.255.0
end
conf t
controller vdsl 0
operating mode auto
end
conf t
interface Dialer0
description WAN Interface
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username USERNAME password 0 PASSWORD
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
end
conf t
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
no atm ilmi-keepalive
no snmp trap link-status
pvc 8/35
tx-ring-limit 3
pppoe-client dial-pool-number 1
end
conf t
dialer-list 1 protocol ip permit
end
Show ADSL sync
Configure NAT
Create Access List for NAT (from LAN to WAN)
conf t
ip access-list extended aclAllowNat
remark --- Traffic allowed to be NATed from inside to out.
remark --- Block NAT traffic to RFC1918 addresses verbosely
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.x.0 0.0.0.255 any
end
Configure NAT
conf t
ip nat inside source list aclAllowNat interface Dialer0 over
load
interface vlan1
ip nat inside
exit
interface dialer 0
ip nat outside
end
IP Route
ip route 0.0.0.0 0.0.0.0 Dialer0
Port Forwarding
Example of port forwarding:
Note: If you don't configure DNS server on your 887VA you will
have to use ISP's DNS server in DHCP Server configuration.
Router#sh ip name-server
Verify DNS
Firewall Configuration
Create Access List for SSH to router access
conf t
ip access-list standard aclQuietMode
remark --- Enter Subnets allowed to SSH to router
permit 192.168.x.0 0.0.0.255
end
You have got two options here. You can either use access-groups or services. Here
is an example for both.
conf t
ip access-list extended private-to-internet
permit ip 192.168.30.0 0.0.0.255 any
end
Allow SIP from internet to private just from one SIP provider (to prevent attacks)
conf t
ip access-list extended internet-to-private
permit tcp any host 192.168.30.10 eq 22
permit udp host 202.85.243.115 host 192.168.30.12 eq 5060
end
Note: Both SSH and SIP protocols are included in port forwarding.
Note: The class-maps specifying services use the match-any keyword to allow any
of the listed services. The class-maps associating ACLs with the service class-maps
use the match-all keyword to require that both conditions in the class map must be
met to allow traffic
conf t
policy-map type inspect private-to-internet-policy
class type inspect private-to-internet-class
inspect
exit
class class-default
drop log
end
Configure Zones:
conf t
zone security internet
zone security private
end
conf t
interface vlan 1
zone-member security private
end
conf t
interface dialer 0
zone-member security internet
end
Verify:
conf t
zone-pair security private-to-internet source private destin
ation internet
service-policy type inspect private-to-internet-policy
zone-pair security internet-to-private source internet desti
nation private
service-policy type inspect internet-to-private-policy
end
Verify:
to:
Zone Self
Prevent access from public networks to the router:
Popular Tags
Ceph (/index.php/component/tags/tag/ceph) 6
Linux (/index.php/component/tags/tag/linux) 5
Cisco (/index.php/component/tags/tag/cisco) 2
Networking (/index.php/component/tags/tag/networking) 1
XenServer (/index.php/component/tags/tag/xenserver) 1