Exsol.pk

I'll guide you through the essential router configuration for WAN to LAN communication, covering a typical setup where your router connects to an ISP (WAN) and provides internet to your internal network (LAN).

Basic Topology

```
Internet (WAN) ↔ Router WAN Interface ↔ Router LAN Interface ↔ Internal Network
```

Core Configuration Steps

1. Configure WAN Interface (External/Facing Internet)

```cisco
! For Static IP from ISP
interface GigabitEthernet0/0
description WAN-Connection-to-ISP
ip address 203.0.113.10 255.255.255.248 ! ISP-provided static IP
ip nat outside
duplex auto
speed auto
no shutdown
```

```cisco
! For DHCP from ISP (Most common for home/small business)
interface GigabitEthernet0/0
description WAN-Connection-to-ISP
ip address dhcp ! Gets IP automatically from ISP
ip nat outside
duplex auto
speed auto
no shutdown
```

```cisco
! For PPPoE (Common for DSL connections)
interface Dialer1
description PPPoE-to-ISP
ip address negotiated
encapsulation ppp
dialer pool 1
ppp chap hostname your_username@isp
ppp chap password your_password
ip nat outside

interface GigabitEthernet0/0
description Physical-WAN-Interface
pppoe enable group global
pppoe-client dial-pool-number 1
no shutdown
```

2. Configure LAN Interface(s) (Internal Network)

```cisco
! Main LAN interface
interface GigabitEthernet0/1
description LAN-Internal-Network
ip address 192.168.1.1 255.255.255.0 ! Router's LAN IP
ip nat inside
duplex auto
speed auto
no shutdown

! Additional LAN interfaces (if needed)
interface GigabitEthernet0/2
description LAN-For-Servers
ip address 192.168.2.1 255.255.255.0
ip nat inside
no shutdown
```

3. Configure NAT (Network Address Translation)

Without this, your LAN devices CANNOT reach the internet!

```cisco
! Define which internal networks get NAT
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255

! Apply NAT (PAT/Overload) - Most common
ip nat inside source list 1 interface GigabitEthernet0/0 overload

! Alternative: Static NAT for a server (port forwarding)
ip nat inside source static tcp 192.168.1.100 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.1.100 443 interface GigabitEthernet0/0 443
```

4. Configure Default Route (To Internet)

```cisco
! Static route (if ISP gave you gateway IP)
ip route 0.0.0.0 0.0.0.0 203.0.113.1

! OR if using DHCP/PPPoE, the default route is usually learned automatically
! But you can add a static one as backup
```

5. Configure DHCP Server (Optional but Recommended)

```cisco
! Exclude router's IP and some static addresses
ip dhcp excluded-address 192.168.1.1 192.168.1.50

! Create DHCP pool for LAN
ip dhcp pool LAN_POOL
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4 ! Google DNS, or use ISP's
domain-name yourcompany.local
lease 1 ! Lease time in days
```

6. Enable IP Routing & Basic Security

```cisco
! Enable IP routing (usually on by default)
ip routing

! Basic ACL to prevent spoofing
ip access-list extended BLOCK-SPOOF
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
permit ip any any

! Apply to WAN interface inbound
interface GigabitEthernet0/0
ip access-group BLOCK-SPOOF in
```

Complete Basic Configuration Example

```cisco
! Basic Router WAN-to-LAN Configuration
hostname R1
enable secret your_enable_password
service password-encryption

! WAN Interface (DHCP from ISP)
interface GigabitEthernet0/0
description ISP-Connection
ip address dhcp
ip nat outside
ip access-group BLOCK-SPOOF in
no shutdown

! LAN Interface
interface GigabitEthernet0/1
description Internal-LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
no shutdown

! NAT Configuration
ip nat inside source list NAT-ACL interface GigabitEthernet0/0 overload
access-list 1 permit 192.168.1.0 0.0.0.255

! Default Route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

! DHCP
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp pool LAN_DHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 1.1.1.1

! Security ACL
ip access-list extended BLOCK-SPOOF
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
permit ip any any

! Console and SSH access
line console 0
password console_password
login
line vty 0 4
password ssh_password
transport input ssh
login
```

Verification Commands

```cisco
! Check interfaces
show ip interface brief
show interfaces gigabitEthernet0/0
show interfaces gigabitEthernet0/1

! Check NAT translations
show ip nat translations
show ip nat statistics

! Check routing table
show ip route

! Check DHCP leases
show ip dhcp binding

! Test connectivity
ping 8.8.8.8 source gigabitEthernet0/0 ! Test WAN connectivity
ping 192.168.1.10 ! Test LAN connectivity

! Debug if needed
debug ip nat
debug ip packet
```

Troubleshooting Common Issues

1. LAN devices can't reach internet
· Check NAT configuration: show ip nat translations
· Verify default route: show ip route
· Check ACLs: show access-lists
2. No WAN IP address
· Check physical connection
· Verify DHCP client: show dhcp lease
· Check ISP credentials (for PPPoE)
3. One-way communication
· Check firewall/ACL on both interfaces
· Verify NAT is configured on correct interfaces
4. Slow performance
· Check interface errors: show interfaces
· Verify MTU settings (especially for PPPoE/VPN)

Advanced Considerations

· MTU Issues: For PPPoE, reduce MTU to 1492: ip mtu 1492
· IPv6: If dual-stack, configure IPv6 addressing and ND
· QoS: For VoIP or video, implement Quality of Service
· VPN: Add site-to-site or remote access VPN configuration
· Dynamic DNS: Useful if WAN IP changes frequently

Would you like me to elaborate on any specific part, such as PPPoE configuration, site-to-site VPN, or advanced security configurations?

203.0.113.10