Upgrade Cisco IOS on the 877W

Cisco LogoYesterday it struck me I was using a less secure wireless setup while the more secure was just a simple configuration change away. While adjusting the configuration I noticed the software version was pretty dated because my last IOS update (12.4.24T1) was from May 2009. To stay current I decided to upgrade my home router.

12.4.24T8 is the latest IOS in the 12.4T series. This version was released on 19 September 2012. I don’t have enough flash capacity to store the new 15.1.4 release, so I will stick with the 12.4.24 release. So I downloaded c870-advipservicesk9-mz.124-24.T8.bin from Cisco.

I have described the steps below so it will be a walk in the park next time.

(more…)

877W wireless config

As mentioned earlier I would post my wireless configuration of the Cisco 877W router as soon as I got it to work the way I like. In this setup the commonly used IRB bridge option is not used. This configuration will also work on the 857W model.

[code lang=”text”]
!
dot11 ssid
vlan 2
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool wireless
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server
!
interface Dot11Radio0
no ip address
!
encryption vlan 2 mode ciphers tkip
!
ssid
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel least-congested 2412 2442 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
description WLAN vlan2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Vlan2
no ip address
!
[/code]

On the (outside) dialer0 interface I had to add the following line to enable NAT:
[code lang=”text”]
ip nat outside
[/code]

And at last you’ll need the next ip nat and access-list lines to make it work:
[code lang=”text”]
ip nat inside source list 103 interface Dialer0 overload
access-list 103 remark Traffic allowed to enter the router from the WLAN
access-list 103 permit 192.168.2.0 0.0.0.255
[/code]

You can use the show dot11 or debug dot11 commands to troubleshoot. For example, the following output displays a associated device:
[code lang=”text”]
router#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [] :

MAC Address IP address Device Name Parent State
xxxx.xxxx.xxxx 192.168.2.2 unknown – self Assoc

router#
[/code]

Enjoy being wireless!

New ISP, new router

Recently I had to choose another ISP for my home internet connection, and because my previous modem was a bit limited in it’s capabilities I decided it was time to invest in a Cisco 877W Integrated Services Router.
The main reason to choose for the 877W is that I used to work with Cisco appliances, so I’m familiar with IOS and like the CLI to manage the device.

After unpacking the device I connected the serial console cable which comes with the 877W to my laptop and turned on the device. The first step was to make the internal LAN work. My new internet connection comes with 8 public IP addresses, so I had to change my internal LAN from private space to public. Now the LAN part was done I could setup the WAN interface, which took quite some time to figure out how to setup correctly.

While discovering the device it appeared that the preinstalled IOS version was a really old one that goes back to 2006. I decided to load a more recent firmware image, better safe than sorry.

With the following specs I’ve created a configuration that works well for the SurfSnel ADSL product of InterNLnet:

Provider: InterNLnet (SurfSnel ADSL)
Protocol: PPPoA routed (RFC 2364)
Encapsulation: VC MUX
VPI/VCI: 0/35
Authentication: PAP

[code lang=”text”]!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
dot11 syslog
no ip source-route
ip cef
!
!
ip inspect name firewall appfw firewall
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name yourdomain.com
ip name-server 217.149.196.6
ip name-server 217.149.192.6
!
appfw policy-name firewall
application http
strict-http action allow alarm
content-type-verification unknown-type match-req-rsp action allow alarm
port-misuse tunneling action allow alarm
!
!
archive
log config
hidekeys
!
!
interface ATM0
description Physical ADSL (ATM) Interface
no ip address
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
dsl enable-training-log
!
interface ATM0.1 point-to-point
description ATM subinterface enables PPP over ATM
no ip proxy-arp
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
station-role root
!
interface Vlan1
ip address 145.99.xxx.xxx 255.255.255.248
ip access-group 102 in
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip inspect firewall in
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp pap sent-username @dsl.inter.nl.net password 0 ppp ipcp dns request
ppp ipcp route default
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit tcp any any established
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 remark DNS In and Out
access-list 101 permit udp any eq domain any eq domain
access-list 101 permit udp any eq domain any gt 1023
access-list 101 remark DHCP client requests
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 remark NTP client requests
access-list 101 permit udp host 192.87.106.2 eq ntp any eq ntp
access-list 101 permit udp host 192.87.36.4 eq ntp any eq ntp
access-list 101 permit udp host 192.87.110.2 eq ntp any eq ntp
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179591
ntp source Vlan1
ntp server 192.87.36.4
ntp server 192.87.106.2 prefer
ntp server 192.87.110.2
end[/code]

The above configuration will most likely also work on the 857W! As you’ll probably notice the wireless configuration has not been setup, so later more on this story..