Link to home
Create AccountLog in
Avatar of Andy Booker
Andy BookerFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Unable to Browse Internet Cisco 1841

I have a cisco router, which I am trying to setup, I have set up the lan side as 172.28.23.0 255.255.255.0 and wan side is from NTL Business and is assigned by static dhcp server.
I can browse to the router and config the SDM no problems and can ping bbc.co.uk from the router but I am unable to browse the internet.  I have included the router config so you can have a look and see what stupid mistake I have made.

On a slightly different note, but something I may as well setup at the same time, I am also looking to change the network setup and want to use 10.1.48.1-254 255.255.248.0 and have servers and switches and router on this network and have workstations on 10.1.49.1-254 255.255.255.0.  Any insight on this would also be helpfull.  Thanks Andy
New-Text-Document--2-.txt
Avatar of rexxus
rexxus
Flag of Australia image

Firstly you're static routing needs to be changed, as it stands you're routing all traffic destined to your internal network out the external interface.

enter the following:

ip route 0.0.0.0 0.0.0.0 fa0/0 perm
no ip route 172.28.23.0 255.255.255.0 fa0/0 perm

that takes care of the routing, as your LAN interface is directly off the router you don't need to add a route to it as it should show up in the routing table as connected.  check via a "sh ip route"

Secondly your external access control list 101, won't allow return HTTP/HTTPS traffic.

To fix this you need to remove the access list then reapply it with the following 2 lines before the final deny ip any any log:

to remove and re-apply the access-list:

no access-list 101

access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 172.28.23.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 permit ip any eq 80 172.28.23.0 255.255.255.0 established
access-list 101 permit ip any eq 443 172.28.23.0 255.255.255.0 established
access-list 101 deny   ip any any log
Actually, the IOS Firewall should take care of the return traffic so the access-list modification isn't necessary.  Also, the default route should be added via DHCP (hence being able to connect to the Internet from the router itself) so the default route addition shouldn't be necessary also.

Here is the problem though, routing isn't enabled on the router.  Do this:

conf t
ip routing
Avatar of Andy Booker

ASKER

Hi JFrederick29,

Tried your solution first as it was less typing than the other one, spot on, worked straight away, thanks very much.  Any thoughts on my second part of the question.
Glad to hear.

For the second part, you mean servers/switches on 10.1.48.1-254 255.255.255.0 (not 255.255.248.0, right)? as this overlaps with the proposed workstation subnet 10.1.49.0/24.

Is the router the LAN default gateway? or do you have a layer3 switch acting as the LAN clients default gateway?  If no layer3 switch, how about a layer2/vlan/trunk capable switch (Cisco 2950, 2960)?  Without either, you can use secondary addressing on the router but it really doesn't buy you much as there is no layer2 separation.  If you want to use ACL's to restrict traffic between subnets, unless you have seperate VLAN's, nothing stops a client from changing their IP to the server subnet to bypass the access-list.  There is also no broadcast supression when not separating via VLAN's.  If you have a layer2/trunk/vlan capable switch, you can setup a trunk to the router LAN interface and route between subnets but also keep traffic separate.  Or, if you have a layer3 switch, even better, do the routing between VLAN's on the switch and then forward default traffic to the router.

Really depends on what you are trying to do and what equipment you have.
Servers / Access Points / Switches I did want to put on 10.1.48.1 - 254 255.255.248.0 and the workstations and laptops on 10.1.49.1 - 254 255.255.248.0.  The Router is the LAN dafault gateway yes, the switches I am using are Netgear GSM712F and FMS726S.  The 712 has the three servers attached via Fiber and two of the ports uplink two the 726 via fiber all the workstations connected to the 726.  I dont want to restrict traffic from the workstations or the server to the internet.  Really just want servers on one set of addresses and workstations on another to give me a total of 512 addresses. Hope this make sense, any questions about the above let me know.  I dont mind what subnet I use really.  Thanks Andy
Well, it is all one subnet so this is very simple.  Just change the router LAN interface to 10.1.48.1 255.255.248.0 and change all the LAN devices to that subnet.
Ok so that takes care of the single network of 10.1.48.1 - 254 for the switches, router and server, so what about the workstations on 10.1.49.1 - 254, wouldn't I need to change something on the router, to see that network as well, or am I totally missing the point here,  Thanks Andy
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Hi there JFrederick29, thanks for all your advice and help with this one.  I have my LAN running 10.1.48.1 - 254 for server / switches / printers and access point and all the workstations on 10.1.49.1 - 254.  Going to use the 10.1.50 for VPN connections.  My router is working fine too.  Thanks Again for all your help.  Andy