Setting up a Cisco Firewall IOS router using a Cable ISP with DHCP

I wish Cisco would provide their documentation using this HTML format rather than using inline notes

Note that all red text pertains to the IOS Firewall feature set.  If you don't have the Firewall feature set on your Cisco router, please exclude all lines in red.  However, I would highly recommend that you use a Firewall enabled version of IOS for the sake of good security.  Although NAT alone will provide some bare minimum protection to your internal network, your Internet facing Cisco router is much more vulnerable to hackers.  All purple text is optional

Cisco IOS Version:  12.2.11 t9 (image file c1700-k9sy7-mz.122-11.T9.bin)
Cisco IOS command Description and explanation of command
enable
config t

ip dhcp excluded-address 192.168.100.1 192.168.100.10

ip dhcp pool Internal-DHCP
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1

ip inspect name cbac tcp
ip inspect name cbac udp


interface f0/0
ip address 192.168.100.1 255.255.255.0
ip nat inside

interface e0/0
ip address dhcp
ip access-group CBAC in
ip inspect cbac out

ip nat outside
mac-address ffff.ffff.ffff

ip nat inside source list NATACL interface e0/0 overload

ip access-list extended CBAC
permit udp any eq bootps any eq bootpc
permit gre any any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
deny   ip any any log

ip access-list extended NATACL
permit ip 192.168.100.0 0.0.0.255 any

exit
exit
wr mem
Go in to enable mode
Go in to global terminal configuration mode

Exclude the first 10 IP addresses from the Internal-DHCP pool

Create DHCP pool called "Internal-DHCP"
Import external DHCP settings such as DNS from ISP into "Internal-DHCP" pool
Defines the network that this DHCP pool operates on
Sets the default gateway for this DHCP pool.

inspects outbound TCP traffic so that responding inbound TCP traffic will be allowed
inspects outbound UDP traffic so that responding inbound UDP traffic will be allowed


Enters the interface f0/0.  F0/0 in this case is the Internal LAN interface.
Sets the Internal LAN interface IP to 192.168.100.1 with 24 bit subnet mask.
Designates this interface as the inside interface of Network Address Translation

Enters the interface e0/0.  E0/0 in this case is the External LAN interface.
Sets the External LAN interface IP to use DHCP.  DHCP is provided by the ISP
Turns on inbound Stateful Packet Inspection
Turns on outbound inspection, which is critical for responding inbound traffic

Designates this interface as the outside interface of Network Address Translation
Optional.  Allows you to spoof the MAC address.  Some ISPs lock down the MAC.

This NATs all IPs from the NATACL ACL to the external interface and IP address

Defines an extended ACL called CBAC to be used for inbound firewall rules
Permits inbound DHCP.  Your ISP can't assign you a DHCP IP without this!
Outbound PPTP VPN will not work without this
Allow inbound pinging.  Note that you may not want this if you want to be stealth.
Allow outbound pinging
Allow traceroute
Useful if you want to log inbound denies.  Note that this is an implied rule.


Defines an extended ACL called NATACL to be used for NAT
Permits all 192.168.100.0/24 going anywhere to be NATed.

Exits NATACL ACL
Exits global configuration mode
Commits all the configuration changes into permanent flash memory


Return home