Setting up a Cisco Firewall IOS router using a Cable ISP
I wish Cisco would provide their documentation using this HTML format rather than using inline notes
Note that all red text pertains to the IOS Firewall feature set. If you don't have the Firewall feature set on your Cisco router, please exclude all lines in red. However, I would highly recommend that you use a Firewall enabled version of IOS for the sake of good security. Although NAT alone will provide some bare minimum protection to your internal network, your Internet facing Cisco router is much more vulnerable to hackers. All purple text is optional
Cisco IOS Version: 12.2.11 t9 (image file c1700-k9sy7-mz.122-11.T9.bin)
|Cisco IOS command||Description and explanation of command|
ip dhcp excluded-address 192.168.100.1 192.168.100.10
ip dhcp pool Internal-DHCP
network 192.168.100.0 255.255.255.0
ip inspect name cbac tcp
ip inspect name cbac udp
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip address dhcp
ip access-group CBAC in
ip inspect cbac out
ip nat outside
ip nat inside source list NATACL interface e0/0 overload
ip access-list extended CBAC
permit udp any eq bootps any eq bootpc
permit gre any any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
deny ip any any log
ip access-list extended NATACL
permit ip 192.168.100.0 0.0.0.255 any
|Go in to enable mode
Go in to global terminal configuration mode
Exclude the first 10 IP addresses from the Internal-DHCP pool
Create DHCP pool called "Internal-DHCP"
Import external DHCP settings such as DNS from ISP into "Internal-DHCP" pool
Defines the network that this DHCP pool operates on
Sets the default gateway for this DHCP pool.
inspects outbound TCP traffic so that responding inbound TCP traffic will be allowed
inspects outbound UDP traffic so that responding inbound UDP traffic will be allowed
Enters the interface f0/0. F0/0 in this case is the Internal LAN interface.
Sets the Internal LAN interface IP to 192.168.100.1 with 24 bit subnet mask.
Designates this interface as the inside interface of Network Address Translation
Enters the interface e0/0. E0/0 in this case is the External LAN interface.
Sets the External LAN interface IP to use DHCP. DHCP is provided by the ISP
Turns on inbound Stateful Packet Inspection
Turns on outbound inspection, which is critical for responding inbound traffic
Designates this interface as the outside interface of Network Address Translation
Optional. Allows you to spoof the MAC address. Some ISPs lock down the MAC.
This NATs all IPs from the NATACL ACL to the external interface and IP address
Defines an extended ACL called CBAC to be used for inbound firewall rules
Permits inbound DHCP. Your ISP can't assign you a DHCP IP without this!
Outbound PPTP VPN will not work without this
Allow inbound pinging. Note that you may not want this if you want to be stealth.
Allow outbound pinging
Useful if you want to log inbound denies. Note that this is an implied rule.
Defines an extended ACL called NATACL to be used for NAT
Permits all 192.168.100.0/24 going anywhere to be NATed.
Exits NATACL ACL
Exits global configuration mode
Commits all the configuration changes into permanent flash memory