Setting up a Cisco Firewall IOS router using a Cable ISP
with DHCP
I wish Cisco would provide their documentation using
this HTML format rather than using inline notes
Note that all red text pertains to the IOS
Firewall feature set. If you don't have the Firewall feature set on your
Cisco router, please exclude all lines in red.
However, I would highly recommend that you use a Firewall enabled version of IOS
for the sake of good security. Although NAT alone will provide some bare
minimum protection to your internal network, your Internet facing Cisco router
is much more vulnerable to hackers. All purple text is optional
Cisco IOS Version: 12.2.11 t9 (image file
c1700-k9sy7-mz.122-11.T9.bin)
| Cisco IOS command | Description and explanation of command |
| enable config t ip dhcp excluded-address 192.168.100.1 192.168.100.10 ip dhcp pool Internal-DHCP import all network 192.168.100.0 255.255.255.0 default-router 192.168.100.1 ip inspect name cbac tcp ip inspect name cbac udp interface f0/0 ip address 192.168.100.1 255.255.255.0 ip nat inside interface e0/0 ip address dhcp ip access-group CBAC in ip inspect cbac out ip nat outside mac-address ffff.ffff.ffff ip nat inside source list NATACL interface e0/0 overload ip access-list extended CBAC permit udp any eq bootps any eq bootpc permit gre any any permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute deny ip any any log ip access-list extended NATACL permit ip 192.168.100.0 0.0.0.255 any exit exit wr mem |
Go in to enable mode Go in to global terminal configuration mode Exclude the first 10 IP addresses from the Internal-DHCP pool Create DHCP pool called "Internal-DHCP" Import external DHCP settings such as DNS from ISP into "Internal-DHCP" pool Defines the network that this DHCP pool operates on Sets the default gateway for this DHCP pool. inspects outbound TCP traffic so that responding inbound TCP traffic will be allowed inspects outbound UDP traffic so that responding inbound UDP traffic will be allowed Enters the interface f0/0. F0/0 in this case is the Internal LAN interface. Sets the Internal LAN interface IP to 192.168.100.1 with 24 bit subnet mask. Designates this interface as the inside interface of Network Address Translation Enters the interface e0/0. E0/0 in this case is the External LAN interface. Sets the External LAN interface IP to use DHCP. DHCP is provided by the ISP Turns on inbound Stateful Packet Inspection Turns on outbound inspection, which is critical for responding inbound traffic Designates this interface as the outside interface of Network Address Translation Optional. Allows you to spoof the MAC address. Some ISPs lock down the MAC. This NATs all IPs from the NATACL ACL to the external interface and IP address Defines an extended ACL called CBAC to be used for inbound firewall rules Permits inbound DHCP. Your ISP can't assign you a DHCP IP without this! Outbound PPTP VPN will not work without this Allow inbound pinging. Note that you may not want this if you want to be stealth. Allow outbound pinging Allow traceroute Useful if you want to log inbound denies. Note that this is an implied rule. Defines an extended ACL called NATACL to be used for NAT Permits all 192.168.100.0/24 going anywhere to be NATed. Exits NATACL ACL Exits global configuration mode Commits all the configuration changes into permanent flash memory |
Return home