Configuring routing and ACL for Cisco 891 router

Hi,

DHCP setup ought to be working already;

for NAT, add the appropriate entries to the interfaces and the actual NAT rule:

interface GigabitEthernet8
  ip nat outside
interface vlan1000
  ip nat inside
ip nat pool VIDEO_OUTSIDE 114.22.169.83 114.22.169.83 mask 255.255.255.0
ip nat inside source list VIDEO pool VIDEO_OUTSIDE overload reversible
ip access list standard VIDEO
  permit host 192.168.1.250

Select allOpen in new window

In order to allow routing to the outside for the rest of the machines, you need to add more NAT:

ip nat inside source list LAN int gi8 overload
ip access list standard LAN
  deny host 192.168.1.250
  permit 192.168.1.0 0.0.0.255

Select allOpen in new window

As for the ACL, without outside->inside NAT, you already have an implicit access control ... except access to the router itself, which you can fix with an access group on the VTY ...

access-list 23 permit 192.168.1.0 0.0.0.255
line vty 0 4
  access-class 23 in

Select allOpen in new window

(I hope I did not add too many typos, didn't try entering the above in an actual router  ;) )

Hi Garry-G,

Thank you so much for your post.
I will try the given configuration tomorrow. In the meanwhile I would like to ask you about the ip route.
Since my DHCP config is for machines to have 192.168.1.254 as a default gateway, ip route should be below?

ip route 192.168.1.254 255.255.255.0 114.22.169.82

Not quite ...

ip route 0.0.0.0 0.0.0.0 114.22.169.81

Select allOpen in new window

The route is defined with the destination (0.0.0.0 with 0 netmask is the default route), and the gateway, which is your upstream router, thus .81 and not your own IP.

Hi Gerry-G,

Ahh thank you so much. With your kind explanation I now understand a little about the default route.
I will configure this tomorrow remotely (the router is currently connected to my desktop through console) and the will try the physical setup on-site.

Thank you again.

I meant Garry-G, sorry!

Hi Garry-G,

I placed the C891 router - DHCP and internet connection for both wired and wireless machines work great so thank you so much!
One thing not working is the Video Conferencing system (Polycom) connection. I cannot ping or trace an external Polycom test IP.
The current config is as follows, do you see what seems to be missing or incorrect? I have modified the ACL names a little;-.


version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c891
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $1$CvAQ$oACJ9G8q3zwmUzv45n1o91
enable password 7 121A25193C5B185C222A362D72
!
no aaa new-model
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.161 192.168.1.254
!
ip dhcp pool guest
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.254
 dns-server 61.112.122.97 61.112.122.1
 lease 7
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891FJ-K9 sn FGL1926243F
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 switchport access vlan 1000
 no ip address
!
interface GigabitEthernet1
 switchport access vlan 1000
 no ip address
!
interface GigabitEthernet2
 switchport access vlan 1000
 no ip address
!
interface GigabitEthernet3
 switchport access vlan 1000
 no ip address
!
interface GigabitEthernet4
 switchport access vlan 1000
 no ip address
!
interface GigabitEthernet5
 switchport access vlan 1000
 no ip address
!
interface GigabitEthernet6
 switchport access vlan 1000
 no ip address
!
interface GigabitEthernet7
 switchport access vlan 1000
 no ip address
!
interface GigabitEthernet8
 ip address 114.22.169.82 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Vlan1000
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no autostate
!
interface Async3
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat pool VC_OUTSIDE 114.22.169.83 114.22.169.83 netmask 255.255.255.0
ip nat inside source list LAN interface GigabitEthernet8 overload
ip nat inside source list VC pool VC_OUTSIDE overload
ip route 0.0.0.0 0.0.0.0 114.22.169.81
!
ip access-list standard LAN
 deny   192.168.1.250
 permit 192.168.1.0 0.0.0.255
ip access-list standard PolycomVC
 permit 192.168.1.250
!
!
access-list 23 permit 192.168.1.0 0.0.0.255
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 access-class 23 in
 password 7 08226C40274911401A0A1E016B
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

Hi Garry-G,

Thank you so much for your prompt reply!
I've modified that line and everything started working as wished. Allow me to run the router for whole day tomorrow before closing this question. Again, thank you very much!!!!

Do you own 114.22.169.82 255.255.255.248 range?
If so.. you NAT configuration is not good.
You basically use just 2 IP address from whole range .82 & .83 and .84 - .86 will never be used.

That is correct - anyway, unless there are specific servers that need their "own" IPs, or unless there are hundreds of concurrent users, using a single IP for the general Internet access should not cause any problems. I would rather be concerned by the fact that according to the author this is a 1G line ... and a 890 series router will most likely NOT be able to fully forward that amount of traffic ... it is officially rated for about 50Mbps in total, and that is based on CEF and without additional features like VPN etc. ...

See this Document for rates: https://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf (somewhat aged, but 890 is already contained)

using a single IP for the general Internet access should not cause any problems.

Except in the case that there are too many sessions - then there will no be possibility to switch to another address and continue "business as usual".
;)
890 series can take around 120 - 150Mb of traffic on WAN - interface itself is 1Gb. If you check Cisco testing it will show much smaller number 50Mb, but with small data packets (64bytes).

Check question for comparation.
In real world router have throughput of 60Mb in Cisco testing 15.36Mb, but sure it will slow down as configuration gets complex.

For a somewhat more detailed performance comparison, see this document ... http://www.anticisco.ru/pubs/ISR_G2_Perfomance.pdf ... not too much newer, but a lot more detailed with different scenarios.  So, in theory, based on the pps values, the router SHOULD deliver up to a total of 1400 Mbps (/2 for duplex), though even with just the NAT/PAT features used (which is the case here), it drops down to the 75Mbps range ...

The "too many sessions" is why I mentioned the number of users ... based on this CPE device, I would not expect the author to be using it in a large enterprise environment, but rather small to medium commercial area ... having 65k sessions active at the same time would probably be unusual, but if any problems would occur, one could always define a new pool with multiple IPs, similar to the Voice gateway, to allow for multiple external IPs to be used.

Thank you so much and my apologies for my reply being late as I had to wait and see a few days to confirm things are working well - and it is working well. I only have a less than 80 users and this line is as you can see for the guests and users' personal devices. So the actual number of users should be around 40 or so.

Thank you again for your great support Garry-G, and next time when I need to configure the router I will keep in mind for what Jovic advised.