cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3952
Views
5
Helpful
1
Replies

Configure Cisco 1921 as Home Router

David Lee
Beginner
Beginner

Long Story short is that I have a Cisco 1921 running 15.3 that I am trying to setup as a typical home router.   I want to allow all the traffic from inside to go to the internet, and I want all the traffic from the internet to to be able to get in.  If the traffic originated from inside, then naturally the responding traffic needs to come back in.  I thought I could do this with a few ACLs and using the IP INSPECT.  Doing that, the WAN port will not get an IP address and all inside traffic does not reach the internet.   i dont have much experience configuring Security on Cisco Routers that also is running NAT.    If someone can point me in the right direction, that would be great.  below is the running config that is not working the way I would like

DLC1921LTNTX3020#sh run
Building configuration...

Current configuration : 1798 bytes
!
! Last configuration change at 22:13:54 UTC Sat Jun 18 2016
version 15.3

ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT dns
ip inspect name FWOUT http
ip inspect name FWOUT https
ip inspect name FWOUT time
ip cef
no ipv6 cef

interface GigabitEthernet0/0
 description LAN
 ip address 192.168.205.252 255.255.255.0
 ip nat inside
 ip inspect FWOUT in
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description WAN
 ip address dhcp
 ip access-group 5 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface Serial0/1/0
 no ip address
 shutdown
!
ip dns server
ip nat inside source list 10 interface GigabitEthernet0/1 overload
!
!
!
access-list 5 deny   any log
access-list 10 permit 192.168.205.0 0.0.0.255
access-list 100 permit udp any any eq bootpc
access-list 100 permit udp any any eq domain
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 10 in
 login local
 transport input ssh
!
scheduler allocate 20000 1000
!
end

DLC1921LTNTX3020#

1 Reply 1

Francesco Molino
VIP Mentor VIP Mentor
VIP Mentor

Hi

few things based on your config.

1. For NAT acl, I will recommend to use extended ACL instead of standard (it will allow you to details more who can have access to internet and with which protocols). Right now, it would be quite the same:

Ip access-list extended NAT

deny ip 192.168.205.0 0.0.0.255 192.168.205.0 0.0.0.255

permit ip 192.168.205.0 0.0.0.255 any

2. You are missing a default route (normally, your ISP connected on the WAN interface should give you a default-route.) In that case the command is:

ip route 0.0.0.0 0.0.0.0 dhcp

3. On your WAN interface, you're applying the ACL 5 that deny any. Why?

4. To allow the traffic back based on an acl that limit some ports, you need to use reflective acl (1st solution).

Some documentation of Reflective acl: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html

The minding is to create a simple acl (that you will put as in on your interface) and create another that reflect the in (that you will put as out on your interface)

A sample of ACL

Extended IP access list FIREWALL-IN
10 permit udp any any eq ntp 
20 permit udp any eq ntp any
30 permit icmp any any echo-reply 
40 permit icmp any any traceroute
50 permit esp any any 
60 permit ahp any any
70 permit udp any any eq isakmp 
80 permit udp any eq isakmp any
90 permit udp any any eq non500-isakmp 
100 permit udp any eq non500-isakmp any
110 permit udp any any eq bootps 
120 permit udp any any eq bootpc
130 evaluate FIREWALL-REFLEX-IN


Extended IP access list FIREWALL-OUT
10 permit ip any any reflect FIREWALL-REFLEX-IN

4 bis. You can even use inspect, however your issue don't seems to be related to the INSPECT rule. Usually, we apply the inspect on the WAN interface as out to allow that return traffic is allowed.

See here some doc: https://learningnetwork.cisco.com/docs/DOC-7832

5. You said that your WAN is not getting IP even if it has been configured as DHCP. You have an acl denying everything. Remove that acl first and try it again

Hope that's clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: