How to set up a 2610 or 2620 to replace a standard home router?

M

Mizugori

[H]ard|Gawd
Joined
Mar 25, 2004
Messages
1,240
I recently bought two 2600 routers (a 2610 and a 2620; the 2620 has two ethernet ports). Each has a t1 card installed. I also bought a 2900xl catalyst switch.

How could I set this up almost like a small business type office? Can anyone explain how it would all go together?
 
One end into modem other end into switch. Finished.
Go to your friends house, unhook his stuff. Repeat above.
Configure VPN.
 
so:

modem --------> 2620 ethernet port 1

any port on switch --------> 2620 ethernet port 2


? then how do i configure the router? i changed the password when i got it but other than that haven't configured it. also, this means no firewall right? (whereas most home routers have a rudimentary one built in) could i pair it with a cisco pix 501 ?
 
Mizugori said:
so:

modem --------> 2620 ethernet port 1

any port on switch --------> 2620 ethernet port 2


? then how do i configure the router? i changed the password when i got it but other than that haven't configured it. also, this means no firewall right? (whereas most home routers have a rudimentary one built in) could i pair it with a cisco pix 501 ?
Click to expand...
Correct on the physical configuration.

http://www.cisco.com/en/US/tech/tk86/tk89/technologies_configuration_example09186a0080094be1.shtml

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm - IOS FW.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml - NAT

A standard linksys/dlink/netgear use NAT as their "firewall". Some may have limited inspection capabilities, so nothing robust like you will get with an IOS device.
 
that's a little over my head, i'm just getting into cisco stuff...

what is IOS FW? im assuming by IOS you mean the operating system that the cisco hardware runs, and FW is firewall, but i don't get what that means. does the ios already include a firewall? thus, do all cisco routers have a firewall built in? if so, what is the point of a pix 501 and other similar devices?

also, are you saying linksys/netgear/dlink/etc home routers use NAT and that's all they mean when they say there is a firewall built in? I though nat just converted IP addresses on one network into different addresses for another - ie 192.168.1.150 into your external ip, to communicate with a website. how is that a "firewall" ? how does that even increase security?

thanks! really appreciate the info!
 
Mizugori said:
also, are you saying linksys/netgear/dlink/etc home routers use NAT and that's all they mean when they say there is a firewall built in? I though nat just converted IP addresses on one network into different addresses for another - ie 192.168.1.150 into your external ip, to communicate with a website. how is that a "firewall" ? how does that even increase security?

thanks! really appreciate the info!
Click to expand...

By default NAT blocks all 65,000 plus incoming ports...so nothing from the untrusted side (the internet) can initiate anything on the trusted side of the NAT (your LAN side). This is why you have to open/forward ports on a NAT router to allow traffic from the internet to access a service behind the router. Port 80 for example if you wanted to run a web server from behind the router.

Basic NAT routers allow all traffic outbound by default. Traffic which is initiated by a trusted source..that goes out, is allowed back in. It's like a 1 way valve sorta.

Basic firewall protection.

Pretty much all home routers also have a feature called SPI...stateful packet inspection....but honestly it's not much additional protection.
 
anyone willing to step in with some config help? here is the current status of the 2620:

Router>show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.3(9), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 14-May-04 14:37 by dchih
Image text-base: 0x80008098, data-base: 0x80CC08C4

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

Router uptime is 6 minutes
System returned to ROM by power-on
System image file is "flash:/c2600-i-mz.123-9.bin"

cisco 2621 (MPC860) processor (revision 0x102) with 61440K/4096K bytes of memory
.
Processor board ID JAB040704TL (3368571963)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2142
 
No offence, man, but configuring Cisco equipment takes a lot of knowledge and most of the Cisco guys on this forum get paid good money to work on routers and switches. If you're interested in learning about Cisco, this is a great opportunity. Xphil3 gave you some really good links(with full example configs even!) that shouldn't be too hard to follow. Read carefully and google commands that you still don't understand.
 
make sure you change the config register
the command is simple
en
conf t
config (press tab) should drop down to config-register
0x2102
exit
wr mem
rel
y
 
ok, here is the show run, can anyone help me configure it as though I were setting up my home as a small office?

thanks a lot for your time and help!!

Current configuration : 524 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
no ip http server
ip classless
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
 
Here is the 2620 I have at home before I moved to a pix 506. Here is a good start, but keep in mind that the router is pretty wide open at this point so i'll let you have at it and figure out the rest of the acls to figure out appropriately (that and I hate router acls, because i don't always think when i'm placing them)

Code: 
hostname InsertHostnameHere

no logging console
enable secret 5 InsertPasswordHere

ip subnet-zero
no ip domain-lookup

interface FastEthernet0/0
 ip address DHCP 
 ip nat outside
 duplex auto
 speed auto
 no shutdown

interface Serial0/0
 no ip address
 shutdown

interface FastEthernet1/0
 ip address 192.168.1.1 
 ip nat inside
 duplex auto
 speed auto
 no shutdown

ip nat inside source list 1 interface FastEthernet0/0 overload

access-list 1 permit 192.168.1.0 0.0.0.255

ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
ip http authentication local

banner motd ^CC Authorized Access Only All Others Will be killed IMMEDIATELY^C

line con 0
 password InsertPasswordHere
 login
line aux 0
line vty 0 4
 password InsertPasswordHere
 login
 
Oh boy oh boy. I need to figure out how to do this for my home too! Once I get some cisco routers...
Man that base config looks sparse! Been working on 2811s and 3560s and that's the smallest sh run ive ever seen :)

I'm gonna check back to see how you do it and store this info in my head.
Would be nice if someone with FIOS is doing this/has done this cause that's what I'm running at home right now. I still can't seem to get my belkin to work on it. T released the dhcp lease and whatnot but I can never get a new lease with the belkin. Dumb actiontec :(
 
can anyone tell me what the literal commands are to change settings regarding the interfaces? ie how do you set an ip address on the fast ethernet 0/0 interface?

how do i "Set the internal port (e0/0) with a static IP address in the range of the internal network (in this example 192.168.1.0/24), and assign it as the 'inside' NAT interface:" per the guide posted by omega?

thanks!
 
Cable modem plugged into E0/0
In privileged mode enter:
config t
int e0/0
ip address dhcp
ip nat outside
no shut
exit

Switch plugged into E0/1
config t
int e0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no shut
exit


*****The following makes an access list to permit traffic from inside to cross NAT****
config t
access-list 1 permit 192.168.1.0 0.0.0.255
exit

*****The following enables NAT*****
config t
ip nat inside source list 1 interface e0/0 overload
exit

*****The following enables DHCP on your router*****
config t
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default router 192.168.1.1
exit
ip dhcp excluded address 192.168.1.1




Pretty straight forward directions there. Good luck
 
I did all of this, and it seems to work, connected a computer to the switch, right-clicked on the LAN and clicked "repair" to make it get a new ip from the cisco. It does get one, but for some reason, it cant seem to get the internet (when i go to any website in a browser it can't find the page). any ideas?

here is my current show run:

Current configuration : 854 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C44
!
boot-start-marker
boot-end-marker
!
enable secret
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 1 interface FastEthernet0/0 overload
no ip http server
ip classless
!
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
 
Last edited:
for future reference remove the hashes for the password, they are vulnerable to decryption.

I don't see any DNS servers set for the DHCP server.

heres a snippet of my 2611xm's config:

ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool DHCPPOOL
network 192.168.1.0 255.255.255.0
next-server 192.168.1.1
default-router 192.168.1.1
dns-server 207.69.188.185 207.69.188.186
 
^Agreed.

Add in a line to your dhcp pool config to specify your dns server, I use opendns, so a quick example to fix your problem would be these few lines:

ip dhcp pool LAN
dns-server 208.67.222.222 208.67.220.220
end
 
that script is similar to what i did almost to the letter on my 1841.

thing is i created 3 subinterfaces and i forgot i did that for my test vlans in my switch :D

now i gotta play a bit more for my internet to go across interface to interface

my roommate was laughing at me I was having so much fun playing!

Oh yeah OpenDNS = awesome
 
hmmm added the dns settings, still not working...

do I need to do any additional configuration on the switch? here is the show run for that, and THANKS to everyone for helping me get this far!

Code: 
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret
!
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface VLAN1
 ip address 192.168.1.2 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
!
ip default-gateway 192.168.1.1
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 login
line vty 5 9
 login
!
end
 
You must log in or register to reply here.
Back
Top