Andy Booker
asked on
Unable to Browse Internet Cisco 1841
I have a cisco router, which I am trying to setup, I have set up the lan side as 172.28.23.0 255.255.255.0 and wan side is from NTL Business and is assigned by static dhcp server.
I can browse to the router and config the SDM no problems and can ping bbc.co.uk from the router but I am unable to browse the internet. I have included the router config so you can have a look and see what stupid mistake I have made.
On a slightly different note, but something I may as well setup at the same time, I am also looking to change the network setup and want to use 10.1.48.1-254 255.255.248.0 and have servers and switches and router on this network and have workstations on 10.1.49.1-254 255.255.255.0. Any insight on this would also be helpfull. Thanks Andy
New-Text-Document--2-.txt
I can browse to the router and config the SDM no problems and can ping bbc.co.uk from the router but I am unable to browse the internet. I have included the router config so you can have a look and see what stupid mistake I have made.
On a slightly different note, but something I may as well setup at the same time, I am also looking to change the network setup and want to use 10.1.48.1-254 255.255.248.0 and have servers and switches and router on this network and have workstations on 10.1.49.1-254 255.255.255.0. Any insight on this would also be helpfull. Thanks Andy
New-Text-Document--2-.txt
Actually, the IOS Firewall should take care of the return traffic so the access-list modification isn't necessary. Also, the default route should be added via DHCP (hence being able to connect to the Internet from the router itself) so the default route addition shouldn't be necessary also.
Here is the problem though, routing isn't enabled on the router. Do this:
conf t
ip routing
Here is the problem though, routing isn't enabled on the router. Do this:
conf t
ip routing
ASKER
Hi JFrederick29,
Tried your solution first as it was less typing than the other one, spot on, worked straight away, thanks very much. Any thoughts on my second part of the question.
Tried your solution first as it was less typing than the other one, spot on, worked straight away, thanks very much. Any thoughts on my second part of the question.
Glad to hear.
For the second part, you mean servers/switches on 10.1.48.1-254 255.255.255.0 (not 255.255.248.0, right)? as this overlaps with the proposed workstation subnet 10.1.49.0/24.
Is the router the LAN default gateway? or do you have a layer3 switch acting as the LAN clients default gateway? If no layer3 switch, how about a layer2/vlan/trunk capable switch (Cisco 2950, 2960)? Without either, you can use secondary addressing on the router but it really doesn't buy you much as there is no layer2 separation. If you want to use ACL's to restrict traffic between subnets, unless you have seperate VLAN's, nothing stops a client from changing their IP to the server subnet to bypass the access-list. There is also no broadcast supression when not separating via VLAN's. If you have a layer2/trunk/vlan capable switch, you can setup a trunk to the router LAN interface and route between subnets but also keep traffic separate. Or, if you have a layer3 switch, even better, do the routing between VLAN's on the switch and then forward default traffic to the router.
Really depends on what you are trying to do and what equipment you have.
For the second part, you mean servers/switches on 10.1.48.1-254 255.255.255.0 (not 255.255.248.0, right)? as this overlaps with the proposed workstation subnet 10.1.49.0/24.
Is the router the LAN default gateway? or do you have a layer3 switch acting as the LAN clients default gateway? If no layer3 switch, how about a layer2/vlan/trunk capable switch (Cisco 2950, 2960)? Without either, you can use secondary addressing on the router but it really doesn't buy you much as there is no layer2 separation. If you want to use ACL's to restrict traffic between subnets, unless you have seperate VLAN's, nothing stops a client from changing their IP to the server subnet to bypass the access-list. There is also no broadcast supression when not separating via VLAN's. If you have a layer2/trunk/vlan capable switch, you can setup a trunk to the router LAN interface and route between subnets but also keep traffic separate. Or, if you have a layer3 switch, even better, do the routing between VLAN's on the switch and then forward default traffic to the router.
Really depends on what you are trying to do and what equipment you have.
ASKER
Servers / Access Points / Switches I did want to put on 10.1.48.1 - 254 255.255.248.0 and the workstations and laptops on 10.1.49.1 - 254 255.255.248.0. The Router is the LAN dafault gateway yes, the switches I am using are Netgear GSM712F and FMS726S. The 712 has the three servers attached via Fiber and two of the ports uplink two the 726 via fiber all the workstations connected to the 726. I dont want to restrict traffic from the workstations or the server to the internet. Really just want servers on one set of addresses and workstations on another to give me a total of 512 addresses. Hope this make sense, any questions about the above let me know. I dont mind what subnet I use really. Thanks Andy
Well, it is all one subnet so this is very simple. Just change the router LAN interface to 10.1.48.1 255.255.248.0 and change all the LAN devices to that subnet.
ASKER
Ok so that takes care of the single network of 10.1.48.1 - 254 for the switches, router and server, so what about the workstations on 10.1.49.1 - 254, wouldn't I need to change something on the router, to see that network as well, or am I totally missing the point here, Thanks Andy
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Hi there JFrederick29, thanks for all your advice and help with this one. I have my LAN running 10.1.48.1 - 254 for server / switches / printers and access point and all the workstations on 10.1.49.1 - 254. Going to use the 10.1.50 for VPN connections. My router is working fine too. Thanks Again for all your help. Andy
enter the following:
ip route 0.0.0.0 0.0.0.0 fa0/0 perm
no ip route 172.28.23.0 255.255.255.0 fa0/0 perm
that takes care of the routing, as your LAN interface is directly off the router you don't need to add a route to it as it should show up in the routing table as connected. check via a "sh ip route"
Secondly your external access control list 101, won't allow return HTTP/HTTPS traffic.
To fix this you need to remove the access list then reapply it with the following 2 lines before the final deny ip any any log:
to remove and re-apply the access-list:
no access-list 101
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 172.28.23.0 0.0.0.255 any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 permit ip any eq 80 172.28.23.0 255.255.255.0 established
access-list 101 permit ip any eq 443 172.28.23.0 255.255.255.0 established
access-list 101 deny ip any any log