Cisco C840MJで家庭用の有線ルーターを構築する
ざっくりですが下記のような感じです。
- GE0/0 - 0/3はパソコンやNASを繋げるためのLAN
- GE0/0 - 0/3のリンクアップが遅いのでspanning-tree portfastを設定
- GE0/4は使ってません(DMZなどに利用予定)
- GE0/5はルータ機能無しのONUにつなげるためのWAN
- IPv6を無効
- AnyConnect(VPN)の設定はしていない
- セキュリティ機能は最低限CBACに任せる
- WEBコンソールは切る
設定
#show running-config <Enter>
Building configuration...
Current configuration : 4039 bytes
!
! Last configuration change at xx:xx:xx JST Xxx Xxx xx 2021 by tsanvr
! NVRAM config last updated at xx:xx:xx JST Xxx Xxx xx 2021 by tsanvr
!
version 15.5
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname localrouter
!
boot-start-marker
boot system flash:c800m-universalk9-mz.SPA.155-3.M10.bin
boot-end-marker
!
!
logging buffered 512000
no logging console
enable secret 5 <Password-Strings>
!
no aaa new-model
ethernet lmi ce
clock timezone JST 9 0
!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool dhcp0
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 192.168.100.1
!
ip domain name localdomain.net
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect name CBAC tcp router-traffic
ip inspect name CBAC udp router-traffic
ip inspect name CBAC ftp
ip inspect name CBAC icmp router-traffic
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
license udi pid C841M-4X-JSEC/K9 sn [SerialNumber]
!
!
username <Username-Strings> privilege 15 secret 9 <Password-Strings>
!
redundancy
!
no cdp run
!
interface GigabitEthernet0/0
switchport access vlan 10
no ip address
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet0/1
description WLAN-AP
switchport access vlan 10
no ip address
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet0/2
switchport access vlan 10
no ip address
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet0/3
switchport access vlan 10
no ip address
no cdp enable
spanning-tree portfast
!
interface GigabitEthernet0/4
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/5
no ip address
duplex auto
speed auto
no cdp enable
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description $ETH_LAN$
no ip address
shutdown
!
interface Vlan10
description $ETH_LAN$
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
description ISPConnectionStrings
mtu 1454
ip address negotiated
ip access-group INTERNET in
ip nat outside
ip inspect CBAC out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1414
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp mtu adaptive
ppp authentication chap callin
ppp chap hostname username@flets.domain.jp
ppp chap password 7 <PasswordStrings>
ppp ipcp dns request accept
ppp ipcp route default
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip ssh source-interface GigabitEthernet0/0
ip ssh version 2
ip scp server enable
!
ip access-list extended INTERNET
deny ip any any
!
dialer-list 1 protocol ip permit
!
!
access-list 1 permit 192.168.100.0 0.0.0.255
!
line con 0
logging synchronous
login local
no modem enable
line vty 0 4
access-class 1 in
privilege level 15
logging synchronous
line vty 5 15
access-class 1 in
privilege level 15
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp source Dialer1
ntp update-calendar
ntp server ntp.nict.jp prefer
!
end
BBルータってこんな感じでしょうか。
DHCPで固定IPアドレス
簡単に固定IPにできます。
!
ip dhcp pool dhcp1
import all
host 192.168.100.201 255.255.255.0
client-identifier <MacAddress>
default-router 192.168.100.1
dns-server 192.168.100.1
!
すでに割り当て済みのIPアドレスを固定IPアドレスとして登録しようとすると怒られます。リース情報をクリアしてください。
#clear ip dhcp binding *
ポートフォワーディングする
Webサーバをインターネットに公開する一例になります。
IP NAT INSIDEの設定
ip nat inside source static tcp 192.168.100.201 443 interface Dialer 1 443
ip nat inside source static tcp 192.168.100.201 80 interface Dialer 1 80
IP ACCESS-LISTの設定
下記の設定はイメージです
ip access-list extended INTERNET
100 permit tcp any 192.168.100.201 eq 443
101 permit tcp any 192.168.1100.201 eq 80
200 deny ip any any
最後に show access-lists で順番や設定を確認します。絶対します。
ポートフォワーディングはポートマッピングやIPマスカレード、アドレス変換のポート変換、NAPTなどベンダーによって設定画面の呼び方が異なります。