dynode.nl

A couple of days ago the Cisco 851w router I ordered was delivered. I purchased this device because my old wireless router, a Netgear WGR614v6 was having a hard time with the many NAT entries caused by the increased amount of (wireless) users. I also wanted to increase my experience with configuring Cisco hardware.

Some months ago I got my CCNA certification, and I was surprised by the low level of knowledge and experience that was needed to pass the exams. I passed the first exam with 948 points and my second one with 825. The last exam was a lot harder, and I realised that I hadn’t studied topics like dynamic routing protocols enough. Still I passed, because of my general knowledge of networking concepts and experience with calculating subnetting.

Anyway, I decided not to continue studying more Cisco stuff right away, but to get some hands-on experience first, so I bought this device.

The Cisco 851W is a router with a 100Mbit/s Ethernet WAN port. I got an Ethernet router because I wanted to use this router at home with the existing Internet connection. In the house where I live we have an ADSL Internet connection with a subnet of 16 IP adresses. There is no need to configure port forwarding in the modem, it just assigns public IP addresses through DHCP.

It took me some days to properly configure the 851W. I discovered that having a CCNA certificate in no way means that you can configure Cisco devices all by yourself.  Configuration discussed in Cisco study material is often quite basic and focuses on interfaces, not on complete configurations.

Anyway, I found this handy Excel sheet for generating a basic configuration: Configuring the Cisco 851W or 871W: Standard IOS. Using this sheet I got a basic working configuration.

Of course this configuration needed some tweaking. I added and changed the following things:

Static NAT entries and corresponding firewall rules

ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.64.5 5597 interface FastEthernet4 5597
ip nat inside source static tcp 192.168.64.237 5001 interface FastEthernet4 5001
ip nat inside source static tcp 192.168.64.5 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.64.5 8000 interface FastEthernet4 8000
ip nat inside source static tcp 192.168.64.5 38515 interface FastEthernet4 38515
!
ip access-list extended Guest-ACL
deny   ip any 192.168.64.0 0.0.0.255
deny   tcp any any eq smtp
permit tcp any host 217.149.192.18 eq smtp
ip access-list extended Internet-inbound-ACL
permit tcp any any eq 38515
permit tcp any any eq 5597
permit tcp any any eq 5001
permit tcp any any eq 8000
permit tcp any any eq 3389
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit tcp host 63.208.196.95 any established
!
access-list 1 permit 192.168.64.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255

As you can see there are some ports forwarded to my own PC for various software running on it. When entering static NAT entries you have to enter corresponding firewall rules. Dynamic NAT entries seem to overrule the firewall, static entries do not work without firewall rules.

This basic Excel sheet configuration also adds a firewall rule to deny “Guest” users access to my own seperate network. They will only “see” network 192.168.60.0/24. I added another firewall rule to deny access to any SMTP server except the one from the ISP, to prevent spamming from trojans which is quite likely to happen with the current users of the wireless network. Later I will also add a firewall rule to block any incoming traffic on port 25 because nobody is likely to run a mailserver on this network except for malicious purposes. I also added a firewall rule permitting any traffic from members.dyndns.org, to make Dynamic DNS work properly (more on this later).

Separate WLANs for house and private use

dot11 ssid 35bis
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 *snip*
!
dot11 ssid ruthenium
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 *snip*

interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid 35bis
!
ssid ruthenium
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2432
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
description Guest wireless LAN – routed WLAN
encapsulation dot1Q 20
ip address 192.168.60.1 255.255.255.0
ip access-group Guest-ACL in
ip inspect MYFW out
ip nat inside
ip virtual-reassembly
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled

This part of the configuration defines two SSID’s and two Dot11Radio0 subinterfaces that are attached to respectively Vlan1 and Vlan20. You can also see the access list attached to the Guest VLAN.
One thing I discovered was that Cisco calls broadcasting a SSID “guest mode”. On most routers with a wireless interface, only one SSID can be set to guest mode. That means that my own WLAN is not visible, which is only a small annoyance.

Dynamic DNS configuration

Dynamic DNS using Dyndns.org is a little bit hard to setup, but after some googling I got it to work. Following is the configuration used for dynamic dns:

ip host members.dyndns.org 63.208.196.95
ip ddns update method myupdate
HTTP
add http://vagevuur:<snip>@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://vagevuur:<snip>@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
!

To properly setup dynamic DNS you need to add the IP address of members.dyndns.org to the host list, because most routers are not set up to lookup domain names for security reasons. This breaks the dynamic dns settings.
You also have to add a firewall rule that allows the Dyndns site to connect to the routers WAN ip address on any established port. The router does not use NAT to connect to the site, so there are no NAT entries that overrule the firewall. By entering permit tcp host 63.208.196.95 any established in an access list applied to the WAN interface the connection is allowed because the firewall notices that Dyndns connects on the port requested in the outgoing connection.

By the way, entering the add and remove lines can only be done by entering half of the command before the question mark, then pressing CTRL-V on your keyboard, entering the question mark, and then the rest of the line. Entering a ? directly will cause the IOS help to appear, which breaks the command.

Well, this concludes my post about configuring my Cisco router. The complete configuration is available for viewing on: http://chelydra.dyndns.org/static/851wcfg.txt Enjoy and have fun!