Building the Core: Cisco 1841 Complete WAN/LAN Overhaul

Topic: Infrastructure As Code | Author: 0x5ha157 | Status: Deployed

This entry documents the complete teardown and rebuild of the edge gateway using a classic Cisco 1841. This configuration strips away all unnecessary GUI interfaces, establishes a highly specific internal subnet, and securely bridges it to the ISP via an encapsulated PPPoE VLAN connection.

1. Global Parameters & Hardening

First, we establish the baseline. We are killing the HTTP servers to remove attack vectors, setting up Indian NTP for accurate log timestamps, configuring Quad9 for DNS, and establishing the local domain.

enable
configure terminal

! Kill Web UI
no ip http server
no ip http secure-server

! Set Domain & Passwords
hostname EdgeRouter
ip domain-name 0x5ha157.local
enable secret [YOUR_SECRET]

! Global DNS & Time
ip name-server 9.9.9.9
ntp server in.pool.ntp.org

2. Secure Access (SSH via Port 22280)

Default ports get scanned constantly. We are moving SSH to port 22280 and restricting access strictly to RSA public keys (password auth disabled).

! Generate 2048-bit RSA Key (Hit enter when prompted)
crypto key generate rsa modulus 2048

! SSH Configuration
ip ssh version 2
ip ssh port 22280 rotary 1

! Bind to VTY lines
line vty 0 4
 login local
 transport input ssh
 rotary 1
 exit

! Inject Ubuntu Public Key
ip ssh pubkey-chain
 username admin
  key-string
   ! Paste your id_rsa.pub string here (split into 200 char lines)
   exit
  exit

3. The External Link (WAN, VLAN 262 & PPPoE)

The ISP expects a specific MAC address and tags WAN traffic on VLAN 262. We spoof the MAC on the physical interface, create the `.262` subinterface, and build a Dialer to negotiate the PPP session.

! Physical Interface & MAC Spoof
interface FastEthernet0/0
 description Physical WAN Link
 mac-address 74fe.ce94.1532
 no ip address
 no shutdown
 exit

! VLAN 262 Subinterface
interface FastEthernet0/0.262
 description WAN PPPoE Link
 encapsulation dot1Q 262
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no ip address
 no shutdown
 exit

! Dialer Interface (The logical WAN IP)
interface Dialer1
 description PPPoE Connection to ISP
 mtu 1492
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname [ISP_USERNAME]
 ppp chap password [ISP_PASSWORD]
 ppp pap sent-username [ISP_USERNAME] password [ISP_PASSWORD]
 ip tcp adjust-mss 1452
 no shutdown
 exit

! Default Route to the Internet
ip route 0.0.0.0 0.0.0.0 Dialer1

4. Internal Network (LAN & DHCP)

The internal network uses a strictly scoped /27 subnet. The router acts as the gateway at .1 and handles DHCP provisioning for the remaining 30 usable addresses.

! LAN Interface setup
interface FastEthernet0/1
 description Internal LAN
 ip address 10.24.103.1 255.255.255.224
 ip nat inside
 no shutdown
 exit

! DHCP Configuration
ip dhcp excluded-address 10.24.103.1

ip dhcp pool LAN_POOL
 network 10.24.103.0 255.255.255.224
 default-router 10.24.103.1
 dns-server 9.9.9.9 10.24.103.1
 domain-name 0x5ha157.local
 lease 7
 exit

5. Network Address Translation (NAT)

Finally, we bridge the internal and external networks. A standard Access Control List (ACL) identifies our local /27 block (using a 0.0.0.31 wildcard mask) and overloads it onto the public IP assigned to Dialer1.

! Define the ACL for our subnet
access-list 1 permit 10.24.103.0 0.0.0.31

! Enable NAT Overload (PAT)
ip nat inside source list 1 interface Dialer1 overload

! Write to memory to persist across reboots
end
write memory

6. Post-Deployment Checks

show pppoe session - Verify the link layer to the ISP.
show ip interface brief - Confirm Dialer1 pulled a public IP.
show ip dhcp binding - Audit assigned local IPs.
show ip nat translations - Watch the packet rewrite flow.