My private network is built around a cisco 2620xm router and a cisco catalyst 3448-XL My router's image is c2600-adventerprisek9-mz.124-25c.bin, and for the switch: c3500xl-c3h2s-mz.120-5.WC17.bin.
My router has a WIC-1ADSL card. Using this, I can connect with my ISP. Note that these settings might only work for my ISP (Teksavvy, in ottawa)
vpdn enable no ip cef interface ATM0/0 no ip address atm restart timer 300 no atm ilmi-keepalive bundle enable ! dsl operating-mode auto hold-queue 224 in pvc 0/35 pppoe-client dial-pool-number 1 ! ! interface Dialer1 ip address negotiated ip access-group 120 in ip mtu 1492 ip nat outside ip nat enable ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username your_username password 0 your_password ppp ipcp dns request accept ppp ipcp address accept ! ip forward-protocol nd ! set default route to go through Dialer1 interface ip route 0.0.0.0 0.0.0.0 Dialer1 ! deny telenet access from outside. access-list 120 deny tcp any any eq telnet access-list 120 permit tcp any any access-list 120 permit ip any any dialer-list 1 protocol ip permit
With these settings, your DSL connection should come up. Any host from the outside of your network will be able to access TCP ports (except 23) on your network. More details on NAT will follow.
Consider the following configuration:
VLAN 1 hosts the 10.0.0.0/24 network
VLAN 3 hosts the 10.0.3.0/24 network
VLAN 10 hosts the 10.0.10.0/24 network
VLAN 1 and VLAN3 can talk to each other and to the WAN
VLAN 10 can only talk to the WAN
interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 10.0.0.1 255.255.255.0 ip access-group 101 in no ip unreachables ip nat inside ip virtual-reassembly ! interface FastEthernet0/0.3 encapsulation dot1Q 3 ip address 10.0.3.0 255.255.255.0 ip access-group 103 in no ip unreachables ip nat inside ip virtual-reassembly ! interface FastEthernet0/0.10 encapsulation dot1Q 3 ip address 10.0.10.0 255.255.255.0 ip access-group 110 in no ip unreachables ip nat inside ip virtual-reassembly
A subinterface (ie: 0.10) defines a vlan. In this setup, interface 0 is configured to handle VLANs 1,3 and 10 by separating it in 3 different sub-interface. Note that with this configuration, nothing more needs to be done for inter-vlan routing. By assigning an IP paddress to subinterfaces, you tell the router how to route between vlans.
With this configuration, all 3 networks will be able to talk to each other. To prevent VLAN10 to talk to VLAN 1 and 3, you could do the following:
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255 access-list 100 permit ip any any access-list 100 permit udp any any access-list 103 deny ip 10.0.3.0 0.0.0.255 10.0.10.0 0.0.0.255 access-list 103 permit ip any any access-list 103 permit udp any any access-list 110 deny ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 110 deny ip 10.0.10.0 0.0.0.255 10.0.3.0 0.0.0.255 ! deny telneting in gateway from guest network access-list 110 deny tcp 10.0.10.0 0.0.0.255 host 10.0.10.1 eq telnet access-list 110 permit ip any any access-list 110 permit udp any any
The following configuration will setup a DHCP server on the router with a different pool for each networks.
! only hand out ip addresses from 10.0.0.100-10.0.0.149 ip dhcp excluded-address 10.0.0.1 10.0.0.99 ip dhcp excluded-address 10.0.0.150 10.0.0.255 ! only hand out ip addresses from 10.0.3.100-10.0.3.149 ip dhcp excluded-address 10.0.3.1 10.0.3.99 ip dhcp excluded-address 10.0.3.150 10.0.3.255 ! only hand out ip addresses from 10.0.10.100-10.0.10.149 ip dhcp excluded-address 10.0.10.1 10.0.10.99 ip dhcp excluded-address 10.0.10.150 10.0.10.255 ip dhcp pool pool_vlan1 import all network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 10.0.0.1 ip dhcp pool pool_vlan3 import all network 10.0.3.0 255.255.255.0 default-router 10.0.3.1 dns-server 10.0.3.1 ip dhcp pool pool_vlan10 import all network 10.0.10.0 255.255.255.0 default-router 10.0.10.1 dns-server 10.0.10.1
To use the cisco router as a DNS forwarder, the following simple configuration can be usd
ip dns server
NAT / Port forwarding
I never got port range forwarding to work on my router. I ended up writing 100 lines for a range of 100 ports. But this is not shown here for for sake of simplicity
ip nat translation timeout 3600 ip nat translation tcp-timeout 1200 ip nat translation finrst-timeout 15 ip nat translation syn-timeout 45 ! forward port 80 to 10.0.0.4:80 ip nat inside source static tcp 10.0.0.4 80 interface Dialer1 80 ! enable NAT on Dialer1 interface ip nat inside source list 1 interface Dialer1 overload access-list 1 permit 192.168.0.0 0.0.255.255