Simple Networking

Basic configuration of the Cisco router. Access to the Internet.


Let’s see how to connect an office to the Internet using a Cisco router.
Let’s take Cisco 881 for example. Commands for configuration of other routers (1841, 2800, 3825…) will be the same. They may differ only in configuration of interfaces, i.e. their names and numbers.

The scheme includes

  • an Internet connection with a static address
  • several PCs in the office local network
  • a router
  • a switch for creating an office local network

Task: provide access for LAN computers to the Internet

Basic configuration of the Cisco router. Access to the Internet.

Step 0. Clearing the configuration

The first thing to do when configuring a new router is to completely clear the startup configuration.
(Do it only on new or test devices!)
To do that, connect via a special console cable to the router console port, enter the command line and do the following:

Enter the privileged mode(#), you may need to enter a login name/password for that.
router> enable

Erase the startup configuration
router# write erase

Reload the router
router# reload

The router will reboot within 3 minutes and initial configuration dialog will appear. Type “no” and move to next step.
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Would you like to enter the initial configuration dialog? [yes/no]:

The current router configuration will have only default technological lines, and you can start the main configuration.

Step 1. Device name

Use the hostname «device name» command to set a router name. It will help you in future.
router#conf t
router (config)#hostname R-DELTACONFIG

deltaconfig cisco outsourcing

Step 2. Configuration of interfaces

We should configure two interfaces: external and internal ones.
The external interface will be used for connecting to the Internet. It will have the IP address and network mask provided by the ISP.
The internal interface will be configured for the local network /24
For example, the ISP has provided us with the following addresses:

  • Network
  • Subnet mask or /30
  • Default gateway

Let’s configure the external interface: set an IP address and a network mask and enable it using the no shut command
interface Fa 4
ip address
no shutdown

Then, connect this router interface to the port of the provider’s equipment using a direct patch cord and check its availability with the ping command.

At first, the own interface
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Then, the adjacent address – a provider’s gateway
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/4/10 ms

After making sure that the provider’s gateway is available, we should configure the internal interface.
The local network will have the following addresses:

  • Network
  • Subnet mask
  • Internal router address acting as an Internet gateway for all network hosts,
  • I recommend starting the range of internal network addresses (users, printers, servers, etc.) with
  • The max available address in this network is
  • Let’s reserve addresses from to for emergency technological needs

To configure the internal interface of the local network, enter the Vlan 1  configuration mode, set an IP address and link it with one of the router’s physical interfaces (Fa 0).
interface Vlan 1
Ip address
no shutdown

Choose a physical router interface and link it with the virtual Vlan.
interface Fa 0
switchport access vlan 1
no shutdown

This could help for better understanding:
ip address => interface Vlan X => interface Fastethernet Y
The IP address is assigned to the Vlan X virtual interface, which is linked with the Fastethernet Y physical interface.

Connect the Fa 0 router interface to the switch with the working stations of the local network or directly with the administrator’s working station.
Then, check the availability of this router interface using the ping command from the command line.

Step 3. Configuration of the remote router access

You can access the router console not only using a console cable, but also remotely using the Telnet (data is transferred unsecure) and SSH (secure connection).

Let’s see how to configure the secure connection.

Enable the SSH version 2 protocol and set any domain name.
ip ssh ver 2
ip domain-name

Generate the rsa keys required for connection. Enter 1024 at the request.
crypto key generate rsa
How many bits in the modulus [512]: 1024

Set a user name with administrator rights and the password (*****)
username admin privilege 15 secret 0 *****
Enable authorization through the device local base (the user you have created a line before).
line vty 0 4
login local

Set a password for the privileged mode.
enable secret 0 *****
Then, using a special program supporting the SSH protocol, you can remotely enter the router console from any working station of the local network. For authorization, enter the login name and password set earlier.
You can learn more about access to the device using the SSH protocol in this article.

Step 4. Default gateway

For routing of packages to the Internet, we should define a default gateway of the device.
ip route

After that, you can check not only availability of provider’s equipment, but of the whole Internet connection.
For that, launch ping to any address in the external network in digital format (I recommend configuring DNS for the local network after configuration of the router).
Let’s take the google’s address ( for example.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/10 ms

Please, note that currently ping of external addresses works only (!) when launched from the management console by the router. Working stations of the local network do not have Internet access.

Step 5. Configuration of network address translation (NAT)

For Internet access from the local network, we should dynamically translate all internal addresses to a certain external IP address.

In our case, as the ISP gives us only with one external address (defined by the /30 subnet mask as given in the example above), all local network addresses should be translated to it.

Define a list of internal addresses for translation to the external address.
ip access-list standard ACL_NAT

Define the internal interface for translation.
Interface Vlan 1
ip nat inside

Define the external interface for translation.
Interface Fa 4
ip nat outside

Create the network address translation (NAT) rule.
ip nat inside source list ACL_NAT interface fa4
As a result, you should have Internet access from any workstation of the local network if their default gateway is the internal IP address of the router (

You can check this using the ping command to an Internet address from the command line. The address should be better in digital format to avoid potential problems with DNS names (Use to check the connection).

Do not allow full Internet access from all local network addresses. After checking the connection, I recommend limiting the Internet access only to certain addresses – for example, a proxy server and working stations of the administrator/director.
You can learn more about how to do it in the article “a little about access lists”.


Don’t forget to save the changes you made to the configuration with the write or copy run start commands. Otherwise you will lose all changes after the next reload.

This article was written by Alexey Yurchenko

Back to Table of contents

4 Comment threads
1 Thread replies
Most reacted comment
Hottest comment thread
5 Comment authors
awaawawffNash MBraBramselWisam Recent comment authors
newest oldest most voted

Thank you sir, it works!


so amazing presentation; it is such an intuitive and straightforward. as said, it’s real life configuration,

Nash M
Nash M

Thanks, all of the above mentioned configuration is definitely spot-on. Unfortunately, there is apparently something else wrong with my system. Now I’m able to ping, Facebook, just about any place in the world, including my entire internal network but, still cannot access a web-page. The Cisco 891 router has 7 Gig Lan ports, 5 in Vlan1/ 2 in Vlan 99. All 5 Vlan 1 ports are able to access the internet without issues. G6-7 in V-99 only pings the world but no internet. Absolutely no explanation. Any words of wisdom to offer?





Great Material for real life configuration, keep up the good work!


How can I help you?