Avatar of Andy Booker
Andy Booker
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Unable to Browse Internet Cisco 1841

I have a cisco router, which I am trying to setup, I have set up the lan side as and wan side is from NTL Business and is assigned by static dhcp server.
I can browse to the router and config the SDM no problems and can ping bbc.co.uk from the router but I am unable to browse the internet.  I have included the router config so you can have a look and see what stupid mistake I have made.

On a slightly different note, but something I may as well setup at the same time, I am also looking to change the network setup and want to use and have servers and switches and router on this network and have workstations on  Any insight on this would also be helpfull.  Thanks Andy

Avatar of undefined
Last Comment
Andy Booker

8/22/2022 - Mon

Firstly you're static routing needs to be changed, as it stands you're routing all traffic destined to your internal network out the external interface.

enter the following:

ip route fa0/0 perm
no ip route fa0/0 perm

that takes care of the routing, as your LAN interface is directly off the router you don't need to add a route to it as it should show up in the routing table as connected.  check via a "sh ip route"

Secondly your external access control list 101, won't allow return HTTP/HTTPS traffic.

To fix this you need to remove the access list then reapply it with the following 2 lines before the final deny ip any any log:

to remove and re-apply the access-list:

no access-list 101

access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip any
access-list 101 deny   ip host any
access-list 101 permit ip any eq 80 established
access-list 101 permit ip any eq 443 established
access-list 101 deny   ip any any log

Actually, the IOS Firewall should take care of the return traffic so the access-list modification isn't necessary.  Also, the default route should be added via DHCP (hence being able to connect to the Internet from the router itself) so the default route addition shouldn't be necessary also.

Here is the problem though, routing isn't enabled on the router.  Do this:

conf t
ip routing
Andy Booker

Hi JFrederick29,

Tried your solution first as it was less typing than the other one, spot on, worked straight away, thanks very much.  Any thoughts on my second part of the question.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Glad to hear.

For the second part, you mean servers/switches on (not, right)? as this overlaps with the proposed workstation subnet

Is the router the LAN default gateway? or do you have a layer3 switch acting as the LAN clients default gateway?  If no layer3 switch, how about a layer2/vlan/trunk capable switch (Cisco 2950, 2960)?  Without either, you can use secondary addressing on the router but it really doesn't buy you much as there is no layer2 separation.  If you want to use ACL's to restrict traffic between subnets, unless you have seperate VLAN's, nothing stops a client from changing their IP to the server subnet to bypass the access-list.  There is also no broadcast supression when not separating via VLAN's.  If you have a layer2/trunk/vlan capable switch, you can setup a trunk to the router LAN interface and route between subnets but also keep traffic separate.  Or, if you have a layer3 switch, even better, do the routing between VLAN's on the switch and then forward default traffic to the router.

Really depends on what you are trying to do and what equipment you have.
Andy Booker

Servers / Access Points / Switches I did want to put on - 254 and the workstations and laptops on - 254  The Router is the LAN dafault gateway yes, the switches I am using are Netgear GSM712F and FMS726S.  The 712 has the three servers attached via Fiber and two of the ports uplink two the 726 via fiber all the workstations connected to the 726.  I dont want to restrict traffic from the workstations or the server to the internet.  Really just want servers on one set of addresses and workstations on another to give me a total of 512 addresses. Hope this make sense, any questions about the above let me know.  I dont mind what subnet I use really.  Thanks Andy

Well, it is all one subnet so this is very simple.  Just change the router LAN interface to and change all the LAN devices to that subnet.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Andy Booker

Ok so that takes care of the single network of - 254 for the switches, router and server, so what about the workstations on - 254, wouldn't I need to change something on the router, to see that network as well, or am I totally missing the point here,  Thanks Andy

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Andy Booker

Hi there JFrederick29, thanks for all your advice and help with this one.  I have my LAN running - 254 for server / switches / printers and access point and all the workstations on - 254.  Going to use the 10.1.50 for VPN connections.  My router is working fine too.  Thanks Again for all your help.  Andy