I doubt that this is the solution:

access-list 101 permit tcp any any eq www

ip access-group 101 in

ip access-group 101 out

Or, more exactly will work only if you use TCP port 80 on your PC to initiate HTTP session. But usually Internet Explorer uses other source ports for HTTP (for example 2924 as it is now on my PC). So it would be good to have at least two different access-lists - one for incoming traffic and one for outgoing.

If I remember correct some 1700 (1712 for example) series routers has Security Device Manager software with some wizards which generates access-lists automatically.

//Mikhail Galiulin

Dont I need an access list that only permits established connections ? and do I need to let port 80 inbound, not just outbound ?

Permitting only the established connections will be the simplest solution. Then you if you would like you can try to configure more complex access-list.

If you get your IP address from ISP through DHCP do not forget to open bootps and bootps ports (udp). To run VPN also requre a number of ports/protocols to be configured.

//Mikhail Galiulin

Hello,

unless you have an internal DNS server, you would probably also need to allow DNS:

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq www

access-list 101 permit udp any any eq domain

access-list 101 permit tcp any any established

Regards,

GP

Hello,

If you use

access-list 101 permit tcp any any established

Do you really need

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq www

?

//Mikhail Galiulin

I guess u shud also open ports for FTP (remember FTP uses 2 TCP Ports 21 & 20) & other messaging s/w's line MSN (1863), Y! (5050), etc.