Upgrade Cisco IOS on the 877W

Cisco LogoYesterday it struck me I was using a less secure wireless setup while the more secure was just a simple configuration change away. While adjusting the configuration I noticed the software version was pretty dated because my last IOS update (12.4.24T1) was from May 2009. To stay current I decided to upgrade my home router.

12.4.24T8 is the latest IOS in the 12.4T series. This version was released on 19 September 2012. I don’t have enough flash capacity to store the new 15.1.4 release, so I will stick with the 12.4.24 release. So I downloaded c870-advipservicesk9-mz.124-24.T8.bin from Cisco.

I have described the steps below so it will be a walk in the park next time.

Read More

877W wireless config

As mentioned earlier I would post my wireless configuration of the Cisco 877W router as soon as I got it to work the way I like. In this setup the commonly used IRB bridge option is not used. This configuration will also work on the 857W model.

!
dot11 ssid <your ssid>
   vlan 2
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 <your password>
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool wireless
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server <dns server> <dns server>
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 2 mode ciphers tkip
 !
 ssid <your ssid>
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel least-congested 2412 2442 2462
 station-role root
 no cdp enable
!
interface Dot11Radio0.1
 description WLAN vlan2
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface Vlan2
 no ip address
!

On the (outside) dialer0 interface I had to add the following line to enable NAT:

ip nat outside

And at last you’ll need the next ip nat and access-list lines to make it work:

ip nat inside source list 103 interface Dialer0 overload
access-list 103 remark Traffic allowed to enter the router from the WLAN
access-list 103 permit 192.168.2.0 0.0.0.255

You can use the show dot11 or debug dot11 commands to troubleshoot. For example, the following output displays a associated device:

router#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [<your ssid>] :

MAC Address    IP address      Device        Name            Parent         State
xxxx.xxxx.xxxx 192.168.2.2     unknown       -               self           Assoc

router#

Enjoy being wireless!

New ISP, new router

Recently I had to choose another ISP for my home internet connection, and because my previous modem was a bit limited in it’s capabilities I decided it was time to invest in a Cisco 877W Integrated Services Router.
The main reason to choose for the 877W is that I used to work with Cisco appliances, so I’m familiar with IOS and like the CLI to manage the device.

After unpacking the device I connected the serial console cable which comes with the 877W to my laptop and turned on the device. The first step was to make the internal LAN work. My new internet connection comes with 8 public IP addresses, so I had to change my internal LAN from private space to public. Now the LAN part was done I could setup the WAN interface, which took quite some time to figure out how to setup correctly.

While discovering the device it appeared that the preinstalled IOS version was a really old one that goes back to 2006. I decided to load a more recent firmware image, better safe than sorry.

With the following specs I’ve created a configuration that works well for the SurfSnel ADSL product of InterNLnet:

Provider: InterNLnet (SurfSnel ADSL)
Protocol: PPPoA routed (RFC 2364)
Encapsulation: VC MUX
VPI/VCI: 0/35
Authentication: PAP

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
dot11 syslog
no ip source-route
ip cef
!
!
ip inspect name firewall appfw firewall
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name yourdomain.com
ip name-server 217.149.196.6
ip name-server 217.149.192.6
!
appfw policy-name firewall
  application http
    strict-http action allow alarm
    content-type-verification unknown-type match-req-rsp action allow alarm
    port-misuse tunneling action allow alarm
!
!
archive
 log config
  hidekeys
!
!
interface ATM0
 description Physical ADSL (ATM) Interface
 no ip address
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode auto
 dsl enable-training-log
!
interface ATM0.1 point-to-point
 description ATM subinterface enables PPP over ATM
 no ip proxy-arp
 pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 station-role root
!
interface Vlan1
 ip address 145.99.xxx.xxx 255.255.255.248
 ip access-group 102 in
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip inspect firewall in
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 no cdp enable
 ppp pap sent-username <username>@dsl.inter.nl.net password 0 <password>
 ppp ipcp dns request
 ppp ipcp route default
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit tcp any any established
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 remark DNS In and Out
access-list 101 permit udp any eq domain any eq domain
access-list 101 permit udp any eq domain any gt 1023
access-list 101 remark DHCP client requests
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 remark NTP client requests
access-list 101 permit udp host 192.87.106.2 eq ntp any eq ntp
access-list 101 permit udp host 192.87.36.4 eq ntp any eq ntp
access-list 101 permit udp host 192.87.110.2 eq ntp any eq ntp
access-list 101 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179591
ntp source Vlan1
ntp server 192.87.36.4
ntp server 192.87.106.2 prefer
ntp server 192.87.110.2
end

The above configuration will most likely also work on the 857W! As you’ll probably notice the wireless configuration has not been setup, so later more on this story..