Anda di halaman 1dari 7

9 Steps Setting Up Cisco Router | Networking content from Windows ... http://windowsitpro.


Connections Conference Forums VIP Store


Windows Exchange Server SharePoint Virtualization Cloud Systems Management Training InfoCenters


9 Steps to Setting Up a Cisco Router
Practical Networking and IOS
Michael Dragone | Windows IT Pro May 26, 2008

SHARE Tweet Recommend 6 COMMENTS 3


Executive Summary:

Working with a Cisco router and the Cisco

Internetworking Operating System (IOS) is a great way to
Upcoming Conferences
experiment with networking concepts and gear and could
be good for your career development. Learn the basic
steps of setting up a Cisco router to provide Internet
access to a small network.

Working with a Cisco router and the Cisco Internetworking Operating System (IOS) is a
great way to experiment with networking concepts and gear and could be good for your
career development. You can get some hands-on IOS experience by setting up a Cisco
router at the Internet edge in your test lab at work or in your home office. A Cisco router
allows you greater flexibility (with more granular controls than the Linksys or NETGEAR Register now to get the best rates available!
hardware commonly used in home offices) if you later want to expand your setup to
include, say, a Microsoft ISA Server firewall on the back end.
Windows IT Pro Community
Let’s go through the basic steps of setting up a Cisco router to provide Internet access to a
Sign up for Windows IT Pro UPDATE newsletter.
small network. I’ll assume you have some basic IOS knowledge, including how to log on
and how to save and clear configurations. I’ll also assume that you have a solid email address
understanding of networking, including what Network Address Translation (NAT) is. I
won’t cover items such as setting up Secure Shell (SSH) access and hardening access lists.
You can expand into those areas as you feel comfortable and want to experiment more. By clicking above, I agree to Penton’s Terms of Service
and Privacy Policy.
What You’ll Need

You need a Cisco router with at least two Ethernet interfaces. An 806, 836, 851, or 871 is
ideal for a home or small office setup—in fact, that’s what those models are geared
towards. You can buy an 851 for a few hundred dollars from various online retailers.
However, a 2610 works just as well, and you might have one sitting in the equipment bin
at your office that you can ask to borrow.
Windows Forums
Your router should have IOS 12.2 or later. This article is based on a Cisco 851W with IOS
12.4, including the IOS firewall feature set. The Windows IT Pro forums
are moving to
You also need a Cisco console cable (sometimes called a rollover cable). One end has an! Get answers
eight-position, eight-conductor modular jack to connect to the router; the other end has a to questions, share tips, and
DB-9 serial connector. In recent years, the console cables that Cisco has shipped with its engage with the IT
equipment have been light blue. professional community.

You need a computer with a DB-9 serial port. In my experience, USB-to-serial converters
work just fine for this application. You also need a computer with a terminal emulation

1 of 7 2014-08-20 07:41 PM
9 Steps Setting Up Cisco Router | Networking content from Windows ...

program. Hilgraeve’s HyperTerminal is available with Windows XP, but it was removed
from Windows Vista. Vista users can download Hyper- Terminal Private Edition 6.3 at Featured Products Mac OS X users can Google for ZTerm, and
Linux users, for minicom. Manage Active Directory with
Windows PowerShell
1. Connect the router to the PC, and start a terminal emulation program Presented by Jeffery Hicks
Wednesday, August 20th
Connect your router to your PC with the console cable, and fire up your terminal Join Jeffrey Hicks to learn how to
emulation program. The port settings are 9600,8,N,1. If you’ve never before accessed a manage...

device directly via an asynchronous serial connection, you might want to ask a Cisco
Essential Skills for DBAs
veteran for some assistance.
Presented by Andrew J. Kelly
August 26th at 11am, 1pm, and 3pm
Start with the command enable to get into privileged EXEC mode. Then type the ET
command erase startup-config to get a blank configuration. Next, restart the router with ...

the reload command. Make sure to say no to an IOS prompt that asks if you’d like to enter SharePoint and Business
the initial configuration dialog. Intelligence: How to Manage the BI
These steps might sound confusing if you’ve worked only with Cisco devices that are up Presented by Randy Williams
August 27th at 11am, 1pm, and 3pm
and running in production. In that case, you’re probably more accustomed to using
Telnet, or preferably SSH, to configure the equipment. That isn’t an option when you ...
want to start with a blank configuration, which will prevent any Telnet or SSH access to
the equipment for the time being.

2. Identify the router’s interfaces Advertisement

Take a look at the back of your router and identify which Ethernet ports you’ll be using for
what. One will connect to your WAN device, such as a cable modem; another will connect
to your LAN. If you’re using an 851W, like me, you’ll notice that the ports are labeled for
you—FastEthernet4 is the WAN interface and FastEthernet0 through FastEthernet3 are
the LAN interfaces. The 851 includes a built-in four-port switch, hence the four LAN

If your router’s interfaces aren’t labeled, you can type the command

show ip interface brief

from privileged EXEC mode to find the names.

3. Configure IP addresses

Now you can begin the actual setup. You should still be in privileged EXEC mode (if not,
enter the enable command), and start terminal configuration mode by entering

configure terminal

Type the command

no ip domain lookup

to prevent IOS from attempting to convert any spelling mistakes you make into domain
names. You can skip this step if you’re a perfect typist, I suppose.

You might also want to enter the command

no logging console

to prevent IOS from outputting syslog messages to the console as you’re working. These
can interfere greatly with your typing.

Now you’re ready to set up an IP address for the LAN interface. In the case of the 851W
that this article is based on, you do this on a virtual interface called BVI1 that relates to
the physical LAN interfaces. On other routers, you might do this on the actual physical
interface. Type

interface <interface_name>

to enter the configuration mode for that interface. For the 851W, the command was

interface BVI1

Now, assign the interface an IP address:

2 of 7 2014-08-20 07:41 PM
9 Steps Setting Up Cisco Router | Networking content from Windows ...

ip address <address> <netmask>

I’m using with a Class C mask, so my command looked like this:

ip address

(The command is on two lines for publication purposes, but be sure to enter it all on one
line.) You can also use Classless Inter-Domain Routing (CIDR) notation if you prefer,
which would look like this:

ip address

You’ll also need to set the WAN interface to use DHCP to obtain its IP address. To do this,

interface FastEthernet4

followed by the command

ip address dhcp

followed by the exit command to leave the interface configuration mode.

4. Set up access lists

Next, you need to configure two access lists, both of which will be applied in the inbound
direction. Note that in the remainder of this article, I use the terms inbound and
outbound frequently. As Figure 1 shows, inbound refers to traffic entering the interface;
outbound refers to traffic leaving the interface.

Listing 1 shows the two access lists: The first will be applied to the LAN interface (in my
case, BVI1), and the second will be applied to the WAN interface (in my case,

Access list 100 will be applied to the LAN interface. The first line sets up the access list
and places the router in access list configuration mode. The next line allows any IP traffic
matching the network ( to pass into the interface. If the subnet mask
looks odd to you, that’s not a typo. IOS uses inverse subnet masks in its access lists. You

3 of 7 2014-08-20 07:41 PM
9 Steps Setting Up Cisco Router | Networking content from Windows ...

can compute these manually quite easily by subtracting each octet of your standard mask
from 255. So mask becomes, becomes,
and so on.

The third line denies any other traffic from entering the LAN interface. Although all
access lists have an implicit deny all at the end, including an explicit deny line is a good
practice so that you know where your access list ends and to aid the readability of your
configuration. The final line takes the router out of access list configuration mode.

Access list 101 will be applied to the WAN interface. The first line sets up the access list
and places the router in access list configuration mode. I use a cable modem, so the next
line allows DHCP (bootps and bootpc) traffic to enter the WAN interface. Without this
entry, my WAN interface would never receive a public IP address, and I’d never get on the
Internet. You can use the same configuration in a test lab as long as you have a DHCP
server set up and your networking team is OK with what you’re doing. The third and
fourth lines allow any TCP and UDP traffic from any source destined for anywhere to
enter the WAN interface.

The fifth, sixth, and seventh lines allow any Internet Control Message Protocol (ICMP)
traffic that’s from any source; is headed for any destination; and is an echo-reply,
time-exceeded, or unreachable message to enter the WAN interface. You should be
cautious about which types of ICMP traffic you allow on your network because ICMP can
be used for various exploits, especially Denial of Service (DoS) attacks. However, you
need these three lines to use ping and traceroute for troubleshooting. The last two lines
are the same as in the LAN access list.

5. Configure basic TCP/UDP/ ICMP inspection

My IOS version includes the IOS firewall feature set. If yours does as well, you’ll definitely
want to use it. Although the IOS firewall doesn’t offer the deep application-layer
inspection that, say, an ISA Server firewall does, enabling it is a good idea for two reasons.
The first is to ensure that traffic which is claiming to be TCP, UDP, or ICMP is in fact TCP,
UDP, or ICMP. The second is that enabling this inspection also enables Context-Based
Access Control. CBAC allows IOS to create dynamic access list entries that allow return
traffic to flow through the router. Although our access lists above are very generic (e.g., all
TCP is allowed), once your setup is working, you’ll certainly want to harden them, set up
internal servers reachable from the Internet, and so on. After you’ve done that, CBAC will
allow return traffic to pass through the router. For example, if you browse to, CBAC will dynamically place entries in the inbound access list applied to
your external (WAN) interface to allow return traffic from to enter the
router. When the connection is closed, these entries are dynamically removed.

First, set up a TCP SYN timeout threshold to help mitigate SYN flood DoS attacks:

ip tcp synwait-time 30

This command tells IOS to drop any TCP session that’s not established within 30 seconds.

Next, set up an inspection rule each for ICMP, TCP, and UDP:

ip inspect name InspectRule icmp

ip inspect name InspectRule tcp
ip inspect name InspectRule udp

(You can substitute a name you prefer for InspectRule.)

6. Apply the access lists and inspection rules

Now, apply both the access lists and the inspection rules to the appropriate interfaces in
the inbound direction. For the WAN interface—in my case, FastEthernet4— first enter the
interface configuration mode:

interface FastEthernet4

Then apply the access list:

ip access-group 101 in

(Note that you use access-group, not access-list here.) Then apply the inspection rule:

ip inspect InspectRule in

4 of 7 2014-08-20 07:41 PM
9 Steps Setting Up Cisco Router | Networking content from Windows ...

And finally, exit the interface configuration mode:


Next, for the LAN interface (BVI1, in this example), type:

interface BVI1
ip access-group 100 in
ip inspect InspectRule in

Some of you sharpies might be wondering if you could apply the IP inspection rule in the
outbound direction as well as or in place of the inbound direction. The answer is yes, you

7. Set up NAT

You now need to set up NAT to translate addresses between the internal network and the public Internet. First, set up an access list to be used
only for NAT:

ip access-list standard 10
deny any

As before, the first line places the router in access list configuration mode. Note that the
access list here is standard and not extended. Standard access lists allow only traffic from
specific IP addresses or networks to be permitted or denied. They don’t let you specify the
destination or type of traffic as extended access lists do. The second line identifies the
traffic that you want to translate. The above code allows any traffic on the internal LAN to
be translated for the Internet. The third line prevents any other traffic from being
translated, and the fourth line takes the router out of access list configuration mode.

Next, you identify to IOS which interfaces will participate in NAT:

interface BVI1
ip nat inside
interface FastEthernet4
ip nat outside

These lines tell IOS that the LAN interface, BVI1, will contain the addresses that need to
be translated, while the WAN interface, FastEthernet4, contains the external addresses to
which the internal addresses will be translated.

Finally, you enter the actual NAT statement (all on one line):

ip nat inside source list 10

interface FastEthernet4 overload

This command tells IOS to translate any address identified in access list 10 to the address
assigned to FastEthernet4. The overload keyword allows one public address to be shared
among several internal private addresses.

8. Enable interfaces, and disable STP

You’re almost ready to test your configuration. First, though, you need to ensure that each
interface is not in a shutdown state. To do so for FastEthernet4, type:

interface FastEthernet4
no shutdown

You’ll want to do this for every physical interface on your router.

At this point, you can disconnect the console cable and connect the PC to a LAN port on
the router with an Ethernet cable. You can then access the router by opening a Telnet
connection (preferably secured with SSH) to the router’s LAN IP address. Keep the
console cable handy, though, in case you make a configuration change that prohibits
Telnet access. A Telnet client is included with most OSs.

You also might want to disable Spanning Tree Protocol (STP) on your internal LAN
interface(s) if your router allows that. If you plan on setting up a complex network of
switches on your network, then don’t disable STP; but for a small network, disabling STP

5 of 7 2014-08-20 07:41 PM
9 Steps Setting Up Cisco Router | Networking content from Windows ...

lets your internal LAN devices connect to your router up to 30 seconds faster. For each
LAN interface (in my case, FastEthernet0 through FastEthernet3), enter

interface FastEthernet0
spanning-tree portfast

9. Test your configuration

Now is a good time to save your configuration. Type

copy running-config startup-config

to save your work to nonvolatile memory and ensure that your configuration is retained
across router restarts, power outages, and so on.

You should also enter the command

show running-config

to output a copy of the configuration you just created to your screen. You can copy and
paste this configuration to a text editor for later reference. You can also edit the
configuration in a text editor and paste it into a terminal session to make changes to the
router. Your configuration should look similar to Listing 2 at this point. Note that Listing
2 omits many configuration lines that are automatically inserted or included by default.
Listing 2 focuses on the commands that you entered above.

You can now connect an Ethernet cable to the router’s WAN port, and try to get on the
Internet. Note that your internal LAN hosts will need to use static IP addressing if you
don’t have a DHCP server present.

What’s Next?

The possibilities from here are endless. You will most certainly want to set up usernames
and passwords for access to your router, set up Telnet and/or SSH access (if you haven’t
already), and limit that access to various IP addresses. You should also consider
modifying your access lists to deny private, non-routable (aka bogon) IP ranges from
being able to reach your network.

You can also make your router a DHCP server, set up VPN access with the router as an
endpoint, add NAT statements and access list entries to access a Web server on your
internal network from the Internet, or put an ISA Server firewall between your router and
your LAN clients. Over time, I’ve tweaked my setup to become much more complex than
the one presented in this article. Don’t be afraid to read some additional documentation (I
highly suggest the Cisco Field Manual series published by Cisco Press), ask questions of
your resident Cisco gurus, and experiment!

SHARE Tweet Recommend 6

Discuss this Article 3

on Jun 29, 2008

John (not verified)


Login or register to post comments

on Jun 2, 2008
Prince (not verified)

Good Article..... it helps.... also one should refer Cisco's ICND Books (2 Books) if this article
doesnt helps

Login or register to post comments

on Oct 7, 2008

How do I get the remaining text of the article? There's not Next button or link and the article
ends with ...

Login or register to post comments

6 of 7 2014-08-20 07:41 PM
9 Steps Setting Up Cisco Router | Networking content from Windows ...

Please Log In or Register to post comments.

Related Articles

Use RAT to Improve Your Network's Router Security

Cisco's Simple Route to a Secure Lab Environment

Setting Up a Cisco Router

How to Set Up a DMZ with ISA Server 4

Security UPDATE--The Onion Router Downside--October 25, 2006
Windows Exchange Server SharePoint Virtualization Cloud Systems Management

Site Features Penton Search

Contact Us Privacy Policy

Awards Terms of Service

Community Sponsors Advertise

Media Center
Follow Us

Site Archive

View Mobile Site

Related Sites
Dev Pro SharePoint Pro SQL Server Pro SuperSite for Windows IT/Dev Connections

Copyright © 2014 Penton

7 of 7 2014-08-20 07:41 PM