(/)

Cisco 887VA
Configuration
(/index.php/10-cisco-
887va-configuration)
Category: myblog (/index.php) Published: Saturday, 26 December 2015 07:33
Written by Jiri Kanicky Hits: 6503
Print (/index.php/10-cisco-887va-configuration?
tmpl=component&print=1&layout=default&page=)
Email (/index.php/component/mailto/?
tmpl=component&template=shaper_radon&link=fdb97c4ccb12a93256f0cd36954e36dfe2d6aaf8)

I have been thinking for some time to purchase Ciscon ADSL

modem to experiment and learn new stuff. Finally the day come
and my Cisco 887VA arrived.

In this article I will show you how to configure Cisco 887VA

ADSL Router. This basic configuration can be useful for any
ADSL connection whether its for home or business.

Basic Cisco Configuration

Reset Device Configuration

en
conf t
erase nvram:
write default-config
reload

You can choose to enter basic management setup or set your

router manually.

Would you like to enter basic management setup? [yes/no]: no

Change password encryption (You may skip this if the

device does not support it)
 conf t
password encryption aes
end

Secure user access

conf t
enable secret PASSWORD123
line vty 0 4
login local
exit
line console 0
login local
exit
username admin privilege 15 secret PASSWORD123
end

Set Hostname

conf t
hostname johny5
end

Stop domain lookup if mess up typing domain name, you

will not have to wait for long time

conf t
no ip domain-lookup
end

Set Aliases

conf t
alias exec s show ip int br
alias exec sr show run
end

Do not log when typing

conf t
line console 0
logging synchronous
exit
line vty 0 4
logging synchronous
end

Logout after inactivity (minutes)

 conf t
line console 0
exec-timeout 5
exit
line vty 0 4
exec-timeout 5
end

Set Clock (with Daylight Saving for Australia/Sydney)

conf t
clock timezone EST +10
clock summer-time DST recurring first Sunday October 02:00 f
irst Sunday April 03:00
clock set 02:56:59 3 January 2013
end
show clock

Set NTP Client

conf t
ntp server 1.au.pool.ntp.org
ntp server 0.au.pool.ntp.org
end

Set SNTP Client (on devices without NTP client)

conf t
sntp server <ip_addresss>
end

SSH configuration

conf t
ip domain-name domain.tld
crypto key generate rsa modulus 1024
ip ssh version 2
end

Cisco 887va IP Configuration

Configure IP on VLAN interface

conf t
interface Vlan 1
ip address 192.168.3.1 255.255.255.0
end

Show VLANs and port assigment

 show vlan-switch

Cisco 887va ADSL2+ Configuration

Configure ADSL (operating mode {auto | adsl1 | adsl2 |
adsl2+ | vdsl2 | ansi})

conf t
controller vdsl 0
operating mode auto
end

Configure Dialer Interface

conf t
interface Dialer0
description WAN Interface
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username USERNAME password 0 PASSWORD
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
end

Configure ATM interface

conf t
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
no atm ilmi-keepalive
no snmp trap link-status
pvc 8/35
tx-ring-limit 3
pppoe-client dial-pool-number 1
end

Create a dialer list and associates a dial group with it

conf t
dialer-list 1 protocol ip permit
end
Show ADSL sync

show controller VDSL 0

Note: You still have to configure NAT to get access to the

internet.

Configure NAT
Create Access List for NAT (from LAN to WAN)

conf t
ip access-list extended aclAllowNat
remark --- Traffic allowed to be NATed from inside to out.
remark --- Block NAT traffic to RFC1918 addresses verbosely
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.x.0 0.0.0.255 any
end

Configure NAT

conf t
ip nat inside source list aclAllowNat interface Dialer0 over
load
interface vlan1
ip nat inside
exit
interface dialer 0
ip nat outside
end

Note: You should be able to ping internet now. Eg: 8.8.8.8

IP Route
ip route 0.0.0.0 0.0.0.0 Dialer0

Port Forwarding
Example of port forwarding:

ip nat inside source static tcp 192.168.x.x 22 interface dia

ler0 22
ip nat inside source static udp 192.168.30.12 5060 interface
Dialer0 5060
DNS Server Configuration
Router(config)#ip dns server
Router(config)#ip domain lookup

Note: IP domain lookup must be configured that your network

clients can resolve DNS.

Note: If you don't configure DNS server on your 887VA you will
have to use ISP's DNS server in DHCP Server configuration.

Verify name servers assigned from ADSL connection

Router#sh ip name-server

Verify DNS

Router#sh ip dns view

DHCP Server Configuration

Router(config)#ip dhcp excluded-address 192.168.3.1 192.168.
3.99
Router(config)#service dhcp
Router(config)#ip dhcp pool DHCP-POOL
Router(dhcp-config)#network 192.168.3.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.3.1
Router(dhcp-config)#dns-server 192.168.3.1
Router(dhcp-config)#domain-name home.local
Router(dhcp-config)#import all
Router(dhcp-config)#exit
Router(config)#end

Firewall Configuration
Create Access List for SSH to router access

conf t
ip access-list standard aclQuietMode
remark --- Enter Subnets allowed to SSH to router
permit 192.168.x.0 0.0.0.255
end

Create Access List for Telnet to router access

 conf t
ip access-list standard aclTelnet
remark --- Enter Subnets allowed to Telnet to router
permit 192.168.x.0 0.0.0.255
end

Zone Based Firewall (2 zones)

Define class-maps that describe the traffic that you want to permit between zones:

You have got two options here. You can either use access-groups or services. Here
is an example for both.

Option 1 (using access-groups)

Allow everything out to the internet:

conf t
ip access-list extended private-to-internet
permit ip 192.168.30.0 0.0.0.255 any
end

Allow SIP from internet to private just from one SIP provider (to prevent attacks)

conf t
ip access-list extended internet-to-private
permit tcp any host 192.168.30.10 eq 22
permit udp host 202.85.243.115 host 192.168.30.12 eq 5060
end

Note: Both SSH and SIP protocols are included in port forwarding.

class-map type inspect match-all private-to-internet-class

match access-group name private-to-internet
exit
class-map type inspect match-all internet-to-private-class
match access-group name internet-to-private
end

Option 2 (without access-group using services)

class-map type inspect match-any private-to-internet-class

match protocol tcp
match protocol udp
match protocol icmp
exit
class-map type inspect match-any internet-to-private-class
match protocol ssh
end

Note: The class-maps specifying services use the match-any keyword to allow any
of the listed services. The class-maps associating ACLs with the service class-maps
use the match-all keyword to require that both conditions in the class map must be
met to allow traffic

Configure a policy-map to inspect traffic on the class-maps you just defined:

 policy-map type inspect internet-to-private-policy
class type inspect internet-to-private-class
inspect
exit
class class-default
drop log
end

conf t
policy-map type inspect private-to-internet-policy
class type inspect private-to-internet-class
inspect
exit
class class-default
drop log
end

Configure Zones:

conf t
zone security internet
zone security private
end

Assign interfaces to their respective zones:

conf t
interface vlan 1
zone-member security private
end

conf t
interface dialer 0
zone-member security internet
end

Verify:

Router#show zone security

Configure Zone Pairs and apply the appropriate policy-map:

conf t
zone-pair security private-to-internet source private destin
ation internet
service-policy type inspect private-to-internet-policy
zone-pair security internet-to-private source internet desti
nation private
service-policy type inspect internet-to-private-policy
end

Verify:

show zone-pair security

Post configuration tasks

Change your NAT command to use the

zone policy (optional):
from:

ip nat inside source list aclAllowNat interface Dialer0 over

load

to:

ip nat inside source list private-to-internet interface Dial

er0 overload

Zone Self
Prevent access from public networks to the router:

class-map type inspect match-any public-to-self-class

match protocol ssh
match protocol icmp

policy-map type inspect public-to-self-policy

class type inspect public-to-self-class
pass
class class-default
drop log

zone-pair security internet-to-self source internet destinat

ion self
description Inbound traffic from internet network to self
service-policy type inspect public-to-self-policy

FACEBOOK TWITTER GOOGLE+ LINKEDIN

(HTTP://WWW.STUMBLEUPON.COM/SUBMIT?
(HTTP://PINTEREST.COM/PIN/CREATE/BUT
(HTTPS://WWW.FACEBOOK.COM/SHARER/SHARER.PHP?
(HTTP://TWITTER.COM/HOME?
(HTTPS://PLUS.GOOGLE.COM/SHARE?
(HTTP://WWW.LINKEDIN.COM/SHAREARTICLE?
URL=HTTP://GANOMI.COM/INDEX.PHP/10-
URL=HTTP://GANOMI.COM/INDEX.PHP/10-
U=HTTP://GANOMI.COM/INDEX.PHP/10-
STATUS=CISCO URL=HTTP://GANOMI.COM/INDEX.PHP/10-
MINI=TRUE&URL=HTTP://GANOMI.COM/INDEX.PHP/10-
Prev
CISCO-
(/index.php/13-cisco-1142n-configuration)
887VA CISCO- CISCO-
CISCO- CISCO-
887VA- 887VA-
887VA- CONFIGURATIONHTTP://GANOMI.COM/INDEX.PHP/10-
887VA- 887VA-
Next (/index.php/18-linux-small-business-server-samba- CONFIGURATION&TITLE=CISCO
CONFIGURATION&MEDIA=&DESCRIPTION
CONFIGURATION CISCO- CONFIGURATION)CONFIGURATION&TITLE=CISCO
with-ldap-and-kerberos-part-3) 887VA 887VA
) 887VA- 887VA
CONFIGURATION)
CONFIGURATION)
CONFIGURATION) CONFIGURATION)

Last Updated: Wednesday, 13 January 2016 01:23

Cisco (/index.php/component/tags/tag/cisco)

Popular Tags
Ceph (/index.php/component/tags/tag/ceph) 6
Linux (/index.php/component/tags/tag/linux) 5
Cisco (/index.php/component/tags/tag/cisco) 2
Networking (/index.php/component/tags/tag/networking) 1
XenServer (/index.php/component/tags/tag/xenserver) 1

Most Read Posts