Page 2: Line By Line Config
Step 3: Line By Line Config
I will give you the step by step commands to type in then I will go through and explain them.
And you are done! Now we can go through each command. At the config prompt, the 'service password-encryption' command enables a weak cipher when displaying password when you do a 'show run' command at the enable prompt. It masks a password but does not give strong encryption. Always mask your own passwords! The 'enable secret newpassword' command issues an enable password using the 'newpassword' that you just typed. Now to get into the enable prompt, you need to enter this password. The command 'no ip domain lookup' makes the router not try to resolve names when issuing a wrong command. Just do it. The command 'no cdp run' stops the Cisco Discovery Service from running and giving out information about your router. Now we get to some interesting commands.
The next line 'line vty 0 4' enters the router into the line configuration mode. Notice how the prompt changes? vty stands for virtual terminal. We are not getting into any form of security settings with the router so it is best to disable telnet logins all together. At the config-line prompt typing 'transport service none' stops the router from accepting telnet logins. Since you have physical access to the router, this is not a big deal. In a later article we will go over how to setup access lists and such, but for now leave it disabled. Typing 'exit' from the config-line prompt brings you back to the normal config prompt.
The command 'no ip http server' stops the http configuration server from running. This is a security risk. The commands 'ip classless' and 'ip subnet-zero' are basic modern day configuration commands. Most IP address are classless addresses now. The next command 'hostname aserouter' sets the router's name to "aserouter". Feel free to change this.
What is this next line? Well, 'int eth0/0' (or the longer command 'interface Ethernet0/0') brings us into the interface configuration mode. Notice the prompt now says "config-if" instead of just "config". We are using the eth0 port as the internet port as you can tell by the 'description Internet Port' command. That command is for comments about the interface. We do not want to put this interface administrativally down so we issue the 'no shutdown' command. The next command 'ip address dhcp' should be easy to understand. This interface will be getting its address by DHCP. You can see that my router acquired an address when I typed that command. Now, 'ip nat outside' is the way to build the network address translation mappings (actually we will be using port address translation) for your router. Type 'exit' to go back to the global config prompt.
Now configure the second interface by typing 'int eth0/1' at the prompt. This is the LAN port by the 'description LAN Port' command. We do not want to put this interface administrativally down so we issue the 'no shutdown' command. We will be assigning an 'ip address 10.0.0.1 255.0.0.0' to the interface. The first part is the IP address and the second part is the subnet mask. You can use 192.168.0.1 and 255.255.255.0 if you would like. The command 'ip nat inside' tells the router that this interface will be the remaining interface to do nat on. Type 'exit' to get back into the global config mode.
We need to tell the router to not give out its own IP address by using the 'ip dhcp excluded-address 10.0.0.1' command. This reserves the address. You can issue a range to reserve other IP address on your network. If you want to reserve a large amount of address use 'ip dhcp excluded-address 10.0.0.1 10.250.0.0' to reserve a huge chunk of addresses for your network. Now we need to configure the DHCP server. The command 'ip dhcp pool LANNET' bring us to the dhcp-config prompt. "LANNET" is a label that can be anything you want. Type 'import all' to get DHCP information (such as DNS and routing info) to DHCP clients. You need to do this to make this work. The command 'network 10.0.0.0 255.0.0.0' should be easy to understand. We are using the 10.x.y.z network with a 255.0.0.0 subnet. The 'default-router 10.0.0.1' command tells the router to give DHCP clients its address for default routes. Now type 'exit' to get out of the dhcp-config prompt.
The last step is to enable nat on the router. You need to setup an access list. Do this by issuing 'access-list 1 permit 10.0.0.0 0.255.255.255' at the global config prompt. That command says to permit any traffic from the 10.0.0.0 network. Now type 'ip nat inside source list 1 interface ethernet0/0 overload' at the prompt. This command enables port address translation and makes your router now function like a normal SOHO router. Type 'exit' to get back to the enable prompt.
Now commit your changes to memory by issuing the 'copy run start' command and you are now done. All that is left to do is to test it out.
Conclusion:
You have now learned the basic way to setup a Cisco router using PAT/NAT on a home network. There are ways to harden your router and we will go over these techniques in another article. Stay tuned for more articles like this in the future. I hope you enjoyed reading this and if you have any questions, feel free to »post in the forums. Also, be sure to enter our monthly forum contests. You can »win an ATI X1900 AIW.
I will give you the step by step commands to type in then I will go through and explain them.
Code
Router>enable
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#service password-encryption
Router(config)#enable secret newpassword
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#line vty 0 4
Router(config-line)#transport service none
Router(config-line)#exit
Router(config)#no ip http server
Router(config)#ip classless
Router(config)#ip subnet-zero
Router(config)#hostname aserouter
aserouter(config)#int eth0/0
aserouter(config-if)#description Internet Port
aserouter(config-if)#no shutdown
aserouter(config-if)#ip address dhcp
*Mar 1 00:11:06.740: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 192.168.1.5, mask 255.255.255.0, hostname aserouter
aserouter(config-if)#ip nat outside
aserouter(config-if)#exit
aserouter(config)#int eth0/1
aserouter(config-if)#description LAN Port
aserouter(config-if)#no shutdown
aserouter(config-if)#ip address 10.0.0.1 255.0.0.0
aserouter(config-if)#ip nat inside
aserouter(config-if)#exit
aserouter(config)#ip dhcp excluded-address 10.0.0.1
aserouter(config)#ip dhcp pool LANNET
aserouter(dhcp-config)#import all
aserouter(dhcp-config)#network 10.0.0.0 255.0.0.0
aserouter(dhcp-config)#default-router 10.0.0.1
aserouter(dhcp-config)#exit
aserouter(config)#access-list 1 permit 10.0.0.0 0.255.255.255
aserouter(config)#ip nat inside source list 1 interface ethernet0/0 overload
aserouter(config)#exit
aserouter#
*Mar 1 00:16:50.812: %SYS-5-CONFIG_I: Configured from console by console
aserouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
aserouter#
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#service password-encryption
Router(config)#enable secret newpassword
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#line vty 0 4
Router(config-line)#transport service none
Router(config-line)#exit
Router(config)#no ip http server
Router(config)#ip classless
Router(config)#ip subnet-zero
Router(config)#hostname aserouter
aserouter(config)#int eth0/0
aserouter(config-if)#description Internet Port
aserouter(config-if)#no shutdown
aserouter(config-if)#ip address dhcp
*Mar 1 00:11:06.740: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 192.168.1.5, mask 255.255.255.0, hostname aserouter
aserouter(config-if)#ip nat outside
aserouter(config-if)#exit
aserouter(config)#int eth0/1
aserouter(config-if)#description LAN Port
aserouter(config-if)#no shutdown
aserouter(config-if)#ip address 10.0.0.1 255.0.0.0
aserouter(config-if)#ip nat inside
aserouter(config-if)#exit
aserouter(config)#ip dhcp excluded-address 10.0.0.1
aserouter(config)#ip dhcp pool LANNET
aserouter(dhcp-config)#import all
aserouter(dhcp-config)#network 10.0.0.0 255.0.0.0
aserouter(dhcp-config)#default-router 10.0.0.1
aserouter(dhcp-config)#exit
aserouter(config)#access-list 1 permit 10.0.0.0 0.255.255.255
aserouter(config)#ip nat inside source list 1 interface ethernet0/0 overload
aserouter(config)#exit
aserouter#
*Mar 1 00:16:50.812: %SYS-5-CONFIG_I: Configured from console by console
aserouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
aserouter#
And you are done! Now we can go through each command. At the config prompt, the 'service password-encryption' command enables a weak cipher when displaying password when you do a 'show run' command at the enable prompt. It masks a password but does not give strong encryption. Always mask your own passwords! The 'enable secret newpassword' command issues an enable password using the 'newpassword' that you just typed. Now to get into the enable prompt, you need to enter this password. The command 'no ip domain lookup' makes the router not try to resolve names when issuing a wrong command. Just do it. The command 'no cdp run' stops the Cisco Discovery Service from running and giving out information about your router. Now we get to some interesting commands.
The next line 'line vty 0 4' enters the router into the line configuration mode. Notice how the prompt changes? vty stands for virtual terminal. We are not getting into any form of security settings with the router so it is best to disable telnet logins all together. At the config-line prompt typing 'transport service none' stops the router from accepting telnet logins. Since you have physical access to the router, this is not a big deal. In a later article we will go over how to setup access lists and such, but for now leave it disabled. Typing 'exit' from the config-line prompt brings you back to the normal config prompt.
The command 'no ip http server' stops the http configuration server from running. This is a security risk. The commands 'ip classless' and 'ip subnet-zero' are basic modern day configuration commands. Most IP address are classless addresses now. The next command 'hostname aserouter' sets the router's name to "aserouter". Feel free to change this.
What is this next line? Well, 'int eth0/0' (or the longer command 'interface Ethernet0/0') brings us into the interface configuration mode. Notice the prompt now says "config-if" instead of just "config". We are using the eth0 port as the internet port as you can tell by the 'description Internet Port' command. That command is for comments about the interface. We do not want to put this interface administrativally down so we issue the 'no shutdown' command. The next command 'ip address dhcp' should be easy to understand. This interface will be getting its address by DHCP. You can see that my router acquired an address when I typed that command. Now, 'ip nat outside' is the way to build the network address translation mappings (actually we will be using port address translation) for your router. Type 'exit' to go back to the global config prompt.
Now configure the second interface by typing 'int eth0/1' at the prompt. This is the LAN port by the 'description LAN Port' command. We do not want to put this interface administrativally down so we issue the 'no shutdown' command. We will be assigning an 'ip address 10.0.0.1 255.0.0.0' to the interface. The first part is the IP address and the second part is the subnet mask. You can use 192.168.0.1 and 255.255.255.0 if you would like. The command 'ip nat inside' tells the router that this interface will be the remaining interface to do nat on. Type 'exit' to get back into the global config mode.
We need to tell the router to not give out its own IP address by using the 'ip dhcp excluded-address 10.0.0.1' command. This reserves the address. You can issue a range to reserve other IP address on your network. If you want to reserve a large amount of address use 'ip dhcp excluded-address 10.0.0.1 10.250.0.0' to reserve a huge chunk of addresses for your network. Now we need to configure the DHCP server. The command 'ip dhcp pool LANNET' bring us to the dhcp-config prompt. "LANNET" is a label that can be anything you want. Type 'import all' to get DHCP information (such as DNS and routing info) to DHCP clients. You need to do this to make this work. The command 'network 10.0.0.0 255.0.0.0' should be easy to understand. We are using the 10.x.y.z network with a 255.0.0.0 subnet. The 'default-router 10.0.0.1' command tells the router to give DHCP clients its address for default routes. Now type 'exit' to get out of the dhcp-config prompt.
The last step is to enable nat on the router. You need to setup an access list. Do this by issuing 'access-list 1 permit 10.0.0.0 0.255.255.255' at the global config prompt. That command says to permit any traffic from the 10.0.0.0 network. Now type 'ip nat inside source list 1 interface ethernet0/0 overload' at the prompt. This command enables port address translation and makes your router now function like a normal SOHO router. Type 'exit' to get back to the enable prompt.
Now commit your changes to memory by issuing the 'copy run start' command and you are now done. All that is left to do is to test it out.
Conclusion:
You have now learned the basic way to setup a Cisco router using PAT/NAT on a home network. There are ways to harden your router and we will go over these techniques in another article. Stay tuned for more articles like this in the future. I hope you enjoyed reading this and if you have any questions, feel free to »post in the forums. Also, be sure to enter our monthly forum contests. You can »win an ATI X1900 AIW.