Cisco 897VA ADSL router ASA 5505 and Aironet 1042N
This
is a basic config for a network setup with a broadband connection. Consisting
of a Cisco ADSL router, ASA firewall and a Cisco Aironet access point. These
device models are end-of-life devices therefore there may be security issues with
them. This may be a basic on-premises network setup of a small office.
The
Cisco 897VA has an ADSL port which you can use for a broadband internet connection, the cotlsy copper phone lines have mostly been replaced by Fiber-optics at present.
The
ATM0 is the ADSL interface that you plug your phone line into. The mtu is 1500
by default.
If you have a broadband connection at present, you should be able to
find the pvc from your router. The VPI value and VCI value is the pvc
(0/38) mentioned here these values may vary.
interface ATM0
mtu 1500
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
In
the Cisco 897VA router GigabitEthernet8 is the WAN port and the only
layer 3 port that you can configure (apart from the POTS port). You can assign a ip to the port. Notice that this port is
also our inside NAT port.
interface GigabitEthernet8
ip address 10.0.0.8 255.255.255.0
ip nat inside
The
dialer 1 is configure to obtain our public ip by negotiation from the ISP. When the
public ip is obtained, for all the LAN devices to connect to the internet NAT
overload or PAT is needed. PAT basically maps the single public IPv4 address to
our private addresses and ports in the LAN. The hostname and
password used on the dialer 1 interface is a common password and username used by ISPs. In some countries unique usernames and passwords are used for broadband connections. With a common username and password being used a line is probably identified by the unique land line phone number.
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname install@o2broadband.co.uk
ppp chap password 0 install
You
need to specify your pool of addresses for NAT. I used NAT on the router and
provided DHCP from the ASA on a different network. It was necessary to add
static routes on both the router and ASA. The default route 0.0.0.0 0.0.0.0 makes
sure that any communication has a destination ip which the router does not
know, is forwarded to the dialer 1 interface
on to the internet.
ip nat pool LAN 10.0.0.1 10.0.0.254 netmask 255.255.255.0
ip nat inside source list LAN interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.0 GigabitEthernet8 10.0.0.4
ASA
5505 config
You
need to assign your inside and outside access VLANs to two physical
ports in your ASA.
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 3
!
For
a basic ASA setup you need to specify the outside and inside interfaces for
your ASA. Outside interface is the outside world. Inside interface is our LAN.
By default in the ASA outside interfaces has a security level of 0. Which means
that the ASA will not trust traffic coming to this interface. Inside interface
which is Vlan 3 here has a security level of 100. Which means that ASA will
trust the traffic coming to this interface.
interface Vlan2
nameif outside
security-level 0
ip address 10.0.0.4 255.255.255.0
!
interface Vlan3
nameif inside
security-level 100
ip address 192.168.0.3 255.255.255.0
Static routes are necessary so that the ASA is aware of the networks that it is currently connected to.
route outside 0.0.0.0 0.0.0.0 10.0.0.8 1
route outside 10.0.1.0 255.255.255.0 10.0.0.8 1
Specify the DHCP scope for your network. I've used the ASA as my DHCP server.
dhcpd address 192.168.0.11-192.168.0.254 inside
dhcpd dns xxx.xxx.xxx.xxx interface inside
dhcpd enable inside
One
way to make ping traffic go through ASA is to specify ASA to inspect ping traffic using
a policy map. You can do this by the command fixup protocol icmp. Below
is the config. By doing this you can ping devices on the internet from your LAN. Otherwise you will not be able to ping anything on the internet from a device in your LAN.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy globalAccess
point config
With
the below command the accesspoint will point any DHCP clients in the right
direction of the DHCP server. This is the DHCP helper address.
ip dhcp-server 10.0.0.8
!
dot11 ssid AP1
vlan 31
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 “wireless password”
!
dot11 network-map
bridge irb
Dot11Radio
0 interface is the 2.4 GHz wireless interface
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 31 mode ciphers aes-ccm
!
ssid AP1
!
interface Dot11Radio0.31
encapsulation dot1Q 31 native
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.31
encapsulation dot1Q 31 native
bridge-group 1
The
Aironet 1042N has a graphical interface that you can use to configure it. below
is the command to enable it. However, it is a bit slow compared to the command
line Cisco IOS. Rather than needing to use a program such as CCP (currently discontinued),
the Aironet has its own GUI. GUI platforms such as Cisco Meraki cloud are far
superior though. A GUI will also help in showing all the features the access point has. You will use the BVI interface ip to connect
to the GUI.
ip http server
no ip http secure-server
!
interface BVI1
ip address 192.168.0.7 255.255.255.0
Credits to The Null Route blog where I was able to find the login information for the dialer to establish the ADSL connection with the ISP. Please note some ISPs specify in their Terms & Conditions that you cannot use your own equipment with their broadband connection.
