Cisco 887VA Configuration

Category: myblog Written by Jiri Kanicky Hits: 93061

I have been thinking for some time to purchase Ciscon ADSL modem to experiment and learn new stuff. Finally the day come and my Cisco 887VA arrived.

In this article I will show you how to configure Cisco 887VA ADSL Router. This basic configuration can be useful for any ADSL connection whether its for home or business.

 

Basic Cisco Configuration

Reset Device Configuration

en
conf t
erase nvram:
write default-config
reload

You can choose to enter basic management setup or set your router manually.

Would you like to enter basic management setup? [yes/no]: no

 

Change password encryption (You may skip this if the device does not support it)

conf t
password encryption aes
end

 

Secure user access

conf t
enable secret PASSWORD123
line vty 0 4
login local
exit
line console 0
login local
exit
username admin privilege 15 secret PASSWORD123
end

 

Set Hostname

conf t
hostname johny5
end

 

Stop domain lookup if mess up typing domain name, you will not have to wait for long time

conf t
no ip domain-lookup
end

 

Set Aliases

conf t
alias exec s show ip int br
alias exec sr show run
end

 

Do not log when typing

conf t
line console 0
logging synchronous
exit
line vty 0 4
logging synchronous
end

 

Logout after inactivity (minutes)

conf t
line console 0
exec-timeout 5
exit
line vty 0 4
exec-timeout 5
end

 

Set Clock (with Daylight Saving for Australia/Sydney)

conf t
clock timezone EST +10
clock summer-time DST recurring first Sunday October 02:00 first Sunday April 03:00
clock set 02:56:59 3 January 2013
end
show clock

 

Set NTP Client

conf t
ntp server 1.au.pool.ntp.org
ntp server 0.au.pool.ntp.org
end

 

Set SNTP Client (on devices without NTP client)

conf t
sntp server <ip_addresss>
end

 

SSH configuration

conf t
ip domain-name domain.tld
crypto key generate rsa modulus 1024
ip ssh version 2
end

 

Cisco 887va IP Configuration

Configure IP on VLAN interface

conf t 
interface Vlan 1
ip address 192.168.3.1 255.255.255.0
end

 

Show VLANs and port assigment

show vlan-switch

 

Cisco 887va ADSL2+ Configuration

Configure ADSL (operating mode {auto | adsl1 | adsl2 | adsl2+ | vdsl2 | ansi})

conf t
controller vdsl 0
operating mode auto
end

 

Configure Dialer Interface

conf t
interface Dialer0
description WAN Interface
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username USERNAME password 0 PASSWORD
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
end

 

Configure ATM interface

conf t
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
no atm ilmi-keepalive
no snmp trap link-status
pvc 8/35
 tx-ring-limit 3
 pppoe-client dial-pool-number 1
 end

 

Create a dialer list and associates a dial group with it

conf t
dialer-list 1 protocol ip permit
end

 

Show ADSL sync

show controller VDSL 0

Note: You still have to configure NAT to get access to the internet.

 

Configure NAT

Create Access List for NAT (from LAN to WAN)

conf t
ip access-list extended aclAllowNat
remark --- Traffic allowed to be NATed from inside to out.
remark --- Block NAT traffic to RFC1918 addresses verbosely
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.x.0 0.0.0.255 any
end

Configure NAT

conf t
ip nat inside source list aclAllowNat interface Dialer0 overload
interface vlan1
 ip nat inside
 exit
interface dialer 0
 ip nat outside
end

Note: You should be able to ping internet now. Eg: 8.8.8.8

 

IP Route

ip route 0.0.0.0 0.0.0.0 Dialer0

 

Port Forwarding

Example of port forwarding:

ip nat inside source static tcp 192.168.x.x 22 interface dialer0 22
ip nat inside source static udp 192.168.30.12 5060 interface Dialer0 5060

 

DNS Server Configuration

Router(config)#ip dns server
Router(config)#ip domain lookup

Note: IP domain lookup must be configured that your network clients can resolve DNS.

Note: If you don't configure DNS server on your 887VA you will have to use ISP's DNS server in DHCP Server configuration.

 

Verify name servers assigned from ADSL connection

Router#sh ip name-server

 

Verify DNS

Router#sh ip dns view

 

DHCP Server Configuration

Router(config)#ip dhcp excluded-address 192.168.3.1 192.168.3.99 
Router(config)#service dhcp
Router(config)#ip dhcp pool DHCP-POOL
Router(dhcp-config)#network 192.168.3.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.3.1
Router(dhcp-config)#dns-server 192.168.3.1
Router(dhcp-config)#domain-name home.local
Router(dhcp-config)#import all
Router(dhcp-config)#exit
Router(config)#end

  

Firewall Configuration

Create Access List for SSH to router access

conf t
ip access-list standard aclQuietMode
 remark --- Enter Subnets allowed to SSH to router
 permit 192.168.x.0 0.0.0.255
end

 

Create Access List for Telnet to router access

conf t
ip access-list standard aclTelnet
 remark --- Enter Subnets allowed to Telnet to router
 permit 192.168.x.0 0.0.0.255
end

 

Zone Based Firewall (2 zones)

Define class-maps that describe the traffic that you want to permit between zones:

You have got two options here. You can either use access-groups or services. Here is an example for both.

 

Option 1 (using access-groups)

Allow everything out to the internet:

conf t
ip access-list extended private-to-internet
permit ip 192.168.30.0 0.0.0.255 any
end

 

Allow SIP from internet to private just from one SIP provider (to prevent attacks)

conf t
ip access-list extended internet-to-private
permit tcp any host 192.168.30.10 eq 22
permit udp host 202.85.243.115 host 192.168.30.12 eq 5060
end

Note: Both SSH and SIP protocols are included in port forwarding.

 

class-map type inspect match-all private-to-internet-class
 match access-group name private-to-internet
 exit
class-map type inspect match-all internet-to-private-class
 match access-group name internet-to-private
 end

Option 2 (without access-group using services)
class-map type inspect match-any private-to-internet-class
 match protocol tcp
 match protocol udp
 match protocol icmp
 exit
class-map type inspect match-any internet-to-private-class
 match protocol ssh
 end

Note: The class-maps specifying services use the match-any keyword to allow any of the listed services. The class-maps associating ACLs with the service class-maps use the match-all keyword to require that both conditions in the class map must be met to allow traffic

 

Configure a policy-map to inspect traffic on the class-maps you just defined:

policy-map type inspect internet-to-private-policy
 class type inspect internet-to-private-class
  inspect
  exit
 class class-default
  drop log
  end

conf t
policy-map type inspect private-to-internet-policy
 class type inspect private-to-internet-class
  inspect
  exit
 class class-default
  drop log
  end

 

Configure Zones:

conf t
zone security internet
zone security private
end

Assign interfaces to their respective zones:

conf t
interface vlan 1
zone-member security private
end
conf t
interface dialer 0
zone-member security internet
end

Verify:

Router#show zone security

Configure Zone Pairs and apply the appropriate policy-map:

conf t
zone-pair security private-to-internet source private destination internet
  service-policy type inspect private-to-internet-policy
zone-pair security internet-to-private source internet destination private
 service-policy type inspect internet-to-private-policy
end

Verify:

show zone-pair security

Post configuration tasks

 

Change your NAT command to use the zone policy (optional):

from:

ip nat inside source list aclAllowNat interface Dialer0 overload

to:

ip nat inside source list private-to-internet interface Dialer0 overload

 

Zone Self

Prevent access from public networks to the router:

class-map type inspect match-any public-to-self-class
 match protocol ssh
 match protocol icmp

policy-map type inspect public-to-self-policy
class type inspect public-to-self-class
 pass
class class-default
 drop log
zone-pair security internet-to-self source internet destination self
 description Inbound traffic from internet network to self
 service-policy type inspect public-to-self-policy