Friday, November 5, 2010

Cisco 881W (Wireless Router) FULL Configurations

By: Boaz Minitzer
Tag: Cisco IOS

This took me several hours of research and trial and error to get working, but in these 2 configurations (one for the main router and one for the intergrated Access Point, AP, you can cut and paste these into your router and they will work just fine.  (save for caveat all the way below)

What these will give you is the following:
  • Two SSID's, one guest and one that connects to themain LAN
  • A site to site VPN with a Cisco ASA device (5540 if you must know!) which I will publish a configuration for at a later date.
  • A configured SSLVPN gateway on the 881W (you get a 90 day trial which will be activated as soon as you enter "webvpn"..... then you have to buy a license)
  • static route to a provider, in this case time warner
  • A Few sample DHCP Reservations for some nodes
Feel free to ask any questions!

First, let's put in the router configuration:

 the usual, ssh to the box, and get to provilidge mode, enable:

----------------Main 881W Configuration-----------------
!
! Last configuration change at 10:05:24 PDT Thu Nov 3 2011 by boaz
! NVRAM config last updated at 10:05:34 PDT Thu Nov 3 2011 by boaz
!
version 15.0
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service udp-small-servers
service sequence-numbers
!
hostname GW01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
logging buffered 51200
enable password 7 <password-removed>
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login webvpn local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PST -8
clock summer-time PDT recurring
!
crypto pki trustpoint local
 enrollment selfsigned
 revocation-check crl
 rsakeypair 777network_ssl_key 1024 1024
!
!
crypto pki certificate chain local
 certificate self-signed 0B
  3082022B 30820194 A0030201 0202010B 300D0609 2A864886 F70D0101 04050030
  22312030 1E06092A 864886F7 0D010902 16114757 30312E73 706F7468 6F6D652E
  636F6D30 1E170D31 31313032 35323034 3431345A 170D3230 30313031 30303030
  30305A30 22312030 1E06092A 864886F7 0D010902 16114757 30312E73 706F7468
  6F6D652E 636F6D30 819F300D 06092A86 4886F70D 01010105 0003818D 00308189
  02818100 9BF230A3 E931D354 879B6552 12696C4E 403DC9A0 BED040B2 2C6A79C5
  E808542F 7FC25E15 FD634FC6 233858D8 F66EB9A6 9EE3B4EB 988F2005 5E3F7DE9
  185F6630 0D623809 576431EC B33D4DCA 48F68116 22B94299 03E4B2A4 EA7F486A
  DBEB11C5 BD7C0F9F 2D766D8B 86FA392C C2219E95 8B112F9D ADD94410 4F82B990
  EDA963A3 02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C
  0603551D 11041530 13821147 5730312E 73706F74 686F6D65 2E636F6D 301F0603
  551D2304 18301680 14B3733F 97620715 E43936B7 2FF8392E F64D78A8 63301D06
  03551D0E 04160414 B3733F97 620715E4 3936B72F F8392EF6 4D78A863 300D0609
  2A864886 F70D0101 04050003 81810084 3730FC57 E22E00F7 C90E591E E2562A1C
  9E079E2B BAFDC51A 43F61F71 56724634 324DE652 2CF09F81 4030DFE0 A43BAABB
  44C389FF DDD6FC1B 437618CE A964AA5A 3F1E8FA5 22CAED0A 0C49366F E2C4B3C9
  C67804C7 CEEAA04C C9DF38A0 740B2893 65A5AAB7 DA17DD7B B4B59808 121FFB69
  589EDA03 D7E77F79 EF0837D4 78578A
      quit
ip source-route
!
!
ip dhcp excluded-address 192.168.230.1 192.168.230.99
ip dhcp excluded-address 192.168.230.201 192.168.230.254
ip dhcp excluded-address 192.168.231.1 192.168.231.50
ip dhcp excluded-address 192.168.231.60 192.168.231.254
!
ip dhcp pool sdm-pool1
   network 192.168.230.0 255.255.255.0
   domain-name domain.com
   option 66 ascii "192.168.230.9"
   option 160 ascii "192.168.230.9"
   default-router 192.168.230.1
   dns-server 192.168.230.20
   lease 0 2
!
ip dhcp pool Domain-Reservation-1-Printer
   host 192.168.230.202 255.255.255.0
   client-identifier 0100.8077.f359.83
   client-name Brother-MFC-9840CDW
   default-router 192.168.230.1
   dns-server 4.2.2.2
   lease 7
!
ip dhcp pool VLAN-GUEST
   network 192.168.231.0 255.255.255.0
   default-router 192.168.231.1
   domain-name domain.com
   dns-server 4.2.2.2 8.8.8.8
   lease 0 12
!
ip dhcp pool Domain-Reservation-2-cube1
   host 192.168.230.65 255.255.255.0
   client-identifier 0100.065b.b4bd.eb
   client-name Telemarkter-PC-cubicle-01
   default-router 192.168.230.1
   dns-server 192.168.250.1
   lease 0 2
!
ip dhcp pool Domain-Reservation-3-cube2
   host 192.168.230.66 255.255.255.0
   client-identifier 0100.0f1f.8c1f.30
   client-name Telemarkter-PC-cubicle-02
   default-router 192.168.230.1
   dns-server 192.168.250.1
   lease 0 2
!
!
ip cef
ip domain name domain.com
ip name-server 192.168.230.20
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX1534811A
!
!
archive
 log config
  logging enable
  hidekeys
object-group network GUEST-WLAN
 description Guest VLAN (ssid SpotGuest)
 192.168.231.0 255.255.255.0
!
object-group network Domain-LAN
 description Local Lan for DomainHome
 192.168.230.0 255.255.255.0
!
username admin privilege 15 password 7 <password-removed>
username boaz privilege 15 password 7 <password-removed>
username jaymie privilege 0 password 7 <password-removed>
username afe privilege 0 password 7 <password-removed>
username david privilege 0 password 7 <password-removed>
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 9
 encr 3des
 authentication pre-share
 group 2
 lifetime 900
crypto isakmp key branch2vpnkey address 64.74.10.10
!
crypto ipsec security-association lifetime seconds 900
!
crypto ipsec transform-set SpotEquinixSET esp-3des esp-sha-hmac
!
crypto map EquinixTunnel 9 ipsec-isakmp
 description Tunnel from Wilshire to Equinix
 set peer 64.74.10.10
 set transform-set SpotEquinixSET
 match address 150
 reverse-route static
!
!
!
!
!
interface Loopback2
 description interface for SSL_VPN
 ip address 192.168.232.1 255.255.255.0
!
interface FastEthernet0
 switchport access vlan 20
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet1
 switchport access vlan 20
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet2
 switchport access vlan 20
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet3
 switchport access vlan 20
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet4
 ip address 173.196.143.178 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map EquinixTunnel
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 1.1.1.1 255.255.255.252
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
!
interface Vlan1
 description Vlan for the Wireless AP
 ip address 192.168.230.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan20
 description Guest Wireless Network (DomainGuest)
 ip address 192.168.231.1 255.255.255.0
 ip access-group Guest-ACL in
 ip nat inside
 ip virtual-reassembly
!
ip local pool webvpn1 192.168.232.5 192.168.232.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map NAT-RMap interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 173.196.143.177
!
ip access-list standard LocalRoute-Acl
 permit 192.168.230.0 0.0.0.255
!
ip access-list extended Guest-ACL
 deny   ip any 192.168.230.0 0.0.0.255
 permit ip any any
ip access-list extended Inside-Out-Acl
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit ip host 192.168.230.111 any
 permit ip 192.168.230.64 0.0.0.31 host 173.196.143.180
 permit ip 192.168.230.0 0.0.0.63 any
 permit ip 192.168.230.128 0.0.0.127 any
ip access-list extended TerminalAccess
 permit tcp any any eq 22 log
 permit tcp host 192.168.230.111 any eq telnet log
 deny   tcp any any log
ip access-list extended test
ip access-list extended webvpn-acl
 permit icmp any any
 permit tcp 192.168.232.0 0.0.0.255 any eq 3389 log
 permit tcp 192.168.232.0 0.0.0.255 any eq domain
 permit udp 192.168.232.0 0.0.0.255 any eq domain
 deny   ip any host 192.168.230.9 log
 permit tcp 192.168.232.0 0.0.0.255 any eq www
 deny   ip any any log
!
logging trap debugging
access-list 110 deny   ip 192.168.230.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 permit ip 192.168.230.0 0.0.0.255 any
access-list 110 permit ip 192.168.231.0 0.0.0.255 any
access-list 150 permit ip 192.168.230.0 0.0.0.255 10.0.10.0 0.0.0.255
no cdp run

!
!
!
!
route-map LocalRoute-RMap permit 9
 match ip address LocalRoute-Acl
!
route-map NAT-RMap permit 9
 match ip address 110
!
snmp-server community SNMPRW
snmp-server community SNMPRO
snmp-server location CiscoHouse
snmp-server contact Cisco
!
control-plane
!
privilege exec level 0 ping
banner login C



                                *** WARNING ***



                You have reached an Official Corporate Computer System.

                Unauthorized access is prohibited by Public Law 99-474.

                          The Computer Fraud and Abuse Act of 1986.

              ***********************************************************

                                FOR ACCESS TO THIS SYSTEM

                                        CONTACT

                              THE SYSTEMS INTEGRATION GROUP

              ***********************************************************

                  **** FOR OFFICIAL CORPORATE BUSINESS ONLY ****

                           T H E  G R O U P

               ** Unauthorized use is Prohibited and Punishible by Law **


              ***********************************************************




banner motd C


              ***********************************************************

                                GW01.domain.com

                    contact Boaz at DataStability.com for any Questions

              ***********************************************************


!
line con 0
 privilege level 15
 logging synchronous
 login authentication local_auth
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 access-class TerminalAccess in
 exec-timeout 30 0
 privilege level 0
 logging synchronous
 login authentication local_auth
 transport preferred ssh
 transport input all
!
scheduler max-task-time 5000
ntp master
ntp update-calendar
!
webvpn gateway 777network
 hostname gw01
 ip address 173.196.143.178 port 443 
 http-redirect port 80
 ssl trustpoint local
 inservice
 !
webvpn install svc flash:/webvpn/anyconnect-win-2.4.1012-k9.pkg sequence 1
 !
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.4.1012-k9.pkg sequence 2
 !
webvpn install svc flash:/webvpn/anyconnect-linux-2.4.1012-k9.pkg sequence 3
 !
webvpn context 777network
 title "777network Secure Gateway"
 ssl authenticate verify all
 !
 url-list "InternalWebServers"
   heading "Email Servers"
   url-text "Outlook Web Access" url-value "http://exchange.domain.com"
 !
 nbns-list "NBNSServers"
   nbns-server 192.168.230.20
 login-message "Enter your credentials"
 !
 policy group 777networkpolicy
   url-list "InternalWebServers"
   nbns-list "NBNSServers"
   functions file-access
   functions file-browse
   functions file-entry
   functions svc-enabled
   banner "Welcome to 777 Network, Authentication Successful"
   filter tunnel webvpn-acl
   svc address-pool "webvpn1"
   svc default-domain "domain.com"
   svc keep-client-installed
   svc homepage "http://exchange.domain.com"
   svc rekey method new-tunnel
   svc split include 192.168.230.0 255.255.255.0
   svc dns-server primary 192.168.230.20
 default-group-policy 777networkpolicy
 aaa authentication list webvpn
 gateway 777network
 inservice
!
end
----------------end main 881W Configuration-----------------


and now, we need to get to the AP, which you can do either by telnetting to the IP/port (more on that in another post) or by doing:

881W#service-module wlan-ap 0 session
Trying 1.1.1.1, 2002 ... Open
c



now you can put in the configuration below:













----------------AP for 881W Configuration-----------------

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ap
!
enable secret 5 password1234-removed
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid SpotGuest
   vlan 20
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 0 password1234-removed
!
dot11 ssid 777network
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   mbssid guest-mode
   wpa-psk ascii 0 password1234-removed
!
dot11 network-map
!
!
username admin privilege 15 secret 5 password1234-removed
username boaz privilege 15 password 7 password1234-removed
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers aes-ccm
 !
 encryption vlan 20 mode ciphers aes-ccm
 !
 ssid SpotGuest
 !
 ssid 777network
 !
 antenna gain 0
 mbssid
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m8. m9. m10. m11. m12. m13. m14. m15.
 channel width 40-above
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface GigabitEthernet0
 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
 no ip address
 no ip route-cache
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 no bridge-group 20 source-learning
 bridge-group 20 spanning-disabled
!
interface BVI1
 ip address 192.168.230.2 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.230.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
ip access-list extended Guest-ACL
 permit icmp any any
 deny   ip any 192.168.230.0 0.0.0.255
 permit ip any any
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
line con 0
 privilege level 15
 login local
 no activation-character
line vty 0 4
 login local
!
cns dhcp
end
----------------End AP for 881W Configuration-----------------


Caveat: Since this article doesnt cover the certificates you need to create for both the SSLVPN and the Site to Site VPN, you will get some errors.  You first need to create these certificates and so on (self signed) or buy them from a CA like verisign etc.