Hi,
I found an old Cisco 857 DSL SOHO router in a cupboard doing nothing, so I decided to see if I could set it up for home use. I currently have a Draytek 2800 home router which has a bullet proof GUI and excellent performance. Also being able to configure RIP and QoS, so the Cisco 857 has a lot to live up to.
My objectives were to see how easy it was to use the GUI and/or the Cisco CLI in setting up the following:
PPP authentication
NAT
DHCP
Cisco Firewall
Security lockdown
The GUI certainly gets the non-CLI users a basic ADSL router up and running relatively quickly. The problem is when an error occurs you are STUCK as I was with setting up NAT. I used the Cisco CP Express GUI, which is pre-installed on the 857 router and Cisco configuration assistant. In the end I only used the GUI's to setup the firewall and lockdown the 857 securely.
Note - To use the CLI, you have to know your Cisco IOS.
I initially had issues with the PPP authentication, but 'debug ppp' showed me the way. DHCP allocated the IP addresses OK, but took me a while to resolve DNS resolution. I had to make the 857 router a DNS server and also to use PPP to request the ISP's DNS servers dynamically. I also noticed you can request from the ISP, via PPP the default route dynamically. That was a new one on me?
I configured as much accounting/logging and Netflow as I could, so I can see who is currently using the 857 router and see what is being dropped in the log etc.
In summary, until Cisco get their act together and make the GUI's bullet proof only Cisco CLI users will be pretty much using the Cisco 857 router at home? Performance is as good as the Draytek 2800. Also being able to configure RIP/EIGRP and QoS. SSH/HTTPS is a plus though.
I have noticed some guys in New Zealand have written a configuration wizard which will generate the configuration for you -
http://www.ifm.net.nz/cookbooks/configwizard.htmlHere is my final configuration with relevant notes:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
! To prevent the local console from being over run
logging console critical
!
no aaa new-model
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
! For some reason no NTP?
clock save interval 8
!
crypto pki trustpoint TP-self-signed-2703312282
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2703312282
revocation-check none
rsakeypair TP-self-signed-2703312282
!
!
crypto pki certificate chain TP-self-signed-2703312282
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373033 33313232 3832301E 170D3131 30353233 31303030
33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37303333
31323238 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A29E A1816E60 E66C901D 498C6C77 2CA6F55A B303C11E 5403E25D 810A4555
19ADE91C FCF15F0A CDD57A55 4F7C24D1 9B5FF6A9 476B40DF B16728EE 0A694F4C
161F3BF6 F85DDA03 A938157B 9B9E9F4E B02C3B77 9F663453 089A51C7 32561469
C65F92AF C5DC1419 B386B10D 39F7C919 5D5537BB CFC79AC2 5A653D15 C783330E
88F90203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 F31CB1B6
F21899CB AEFC17E3 64CEB4FC B5D868F2 301D0603 551D0E04 160414F3 1CB1B6F2
1899CBAE FC17E364 CEB4FCB5 D868F230 0D06092A 864886F7 0D010104 05000381
81002A3D F9D75839 56BDC457 28D8E9E5 CDD2635C 25DF2F9B 5E157286 8E439B68
9BFBE4CA 4B12806D 775D3B3D BB283C6A 5650B564 3DC0013B C9449206 8BA1AB50
E89BDBE1 B5732155 4D0E314E 487C76BE EB06A796 03692FCD 39CFEC60 0E564EE8
8493851C 9E9C68E1 F20A2F3F 9CD06FA9 2B94BDA8 6B091972 DF928FEF 04D2D48F 6E25
quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
! Exclude IP addresses from DHCP server
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.100
!
ip dhcp pool dpool1
import all
network 192.168.0.0 255.255.255.0
domain-name cisco.com
default-router 192.168.0.1
dns-server 192.168.0.1
!
!
ip cef
! Create Firewall services to setup dynamic ACLs
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
no ip bootp server
!
!
!
! I hate STP 
no spanning-tree vlan 1
username <username> privilege 15 password 7 <password>
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
! Four port switch
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
! ACL 100 to provide access
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
! To view source/destination IP addresses with packets/bytes used
ip accounting output-packets
! Netflow
ip flow ingress
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
! ACL 101 to provide access
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
! To view source/destination IP addresses with packets/bytes used
ip accounting output-packets
! Firewall inspection enabled on interface
ip inspect SDM_MEDIUM out
! Netflow
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
! Authentication depending on you ISP
ppp authentication pap chap callin
ppp chap hostname <ISP username>
ppp chap password 7 <ISP password>
ppp pap sent-username <ISP username> password 7 <ISP password>
! Request DNS servers from ISP
ppp ipcp dns request
! Request default route from ISP
ppp ipcp route default
!
ip forward-protocol nd
! To be able to view Top active 20 talkers
ip flow-top-talkers
top 20
sort-by bytes
!
no ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
! Makes this router a DNS server
ip dns server
ip nat pool pool1 192.168.0.0 192.168.1.0 netmask 0.0.0.255
! Only have one public IP address
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended ip
!
logging trap debugging
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 10 permit 193.132.157.90
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_3##
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_13##
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit udp host 212.23.6.100 eq domain any
access-list 101 permit udp host 212.23.3.100 eq domain any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
! Only allow local access
access-class 10 in
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
endCheerZ
