omsLabs

Simple Cisco ISR NAT Setup

Why would you want to do this? Simple – You can use this setup in your home, in a dorm room, in an apartment, etc… It is the most common small office or home office setup.

My specific use case is for a dorm, and you may ask why I cant use a switch… Well, when BPDU Guard is enabled on a port, it will shut down the port if it receives a BPDU (Bridge Protocol Data Unit) from the unauthorized switch. This helps maintain the integrity of the spanning tree topology and prevents network loops.

Here is the topology in my use case, where the wan is my patch port in my dorm, the wan could be the connection to your cable modem or fiber wan uplink on a home network as well.

I will be using the cisco ISR C891-F which is an older Integrated services router that can be found on ebay from $20-$40 on a good day. Note that it can barely do 500mbps connection, LOL. If you can find something newer for cheap and have a WAN uplink that is faster than 500mbps you should by all means go for that instead.

The 891F has 2 WAN ports (1xGbE + 1xFE) and 8 LAN ports, essentially a built in switch (4 POE ports and 4 non POE ports)

If the device is not a cisco device you will have to use your braincells to translate these commands for whatever OS your device is running, but in the end the configuration will be essentially the same.

  1. Configure WAN Interface
    • *Your interfaces will probably be different unless you are using the ISR C891F which is what I am using*
    • Commands
      • enable
      • configure terminal
      • interface g8
      • ip address dhcp
      • no shutdown
      • ip nat outside
      • exit
  2. Configure VLAN
    • Enter configuration mode if not already (conf t)
    • Commands
      • int vlan10
      • ip address 192.168.1.1 255.255.255.0
      • ip nat inside
      • no shutdown
      • exit
  3. Configure LAN Interfaces
    • Enter configuration mode if not already (conf t)
    • Commands
      • int rang g0 – g7
      • switchport mode access
      • switchport access vlan 10
      • exit
  4. Configure access list for for NAT
    • access-list 1 permit 192.168.1.0 0.0.0.255
    • ip nat inside source list 1 interface g8 overload
  5. Security and final steps
    • Configure password on console interface
    • Commands – Must be in configure mode, I will include the shortened commands to escalate your privilege. Also do not include the brackets, and use your own password.
      • en
      • conf t
      • service password-encryption
      • line con 0
      • password [your_password]
      • login
      • exit
    • You will be prompted for a password next time you log in from the console, this security should be fine for a small home network where you will probably not encounter an insider threat.
    • You will either need to configure DHCP on your LAN (through the ISR or another device on the lan) or you can manually assign ip addresses to your LAN clients.
    • After that you should be up and running!

In

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *

All Posts