11-14-2002 03:38 AM - edited 03-02-2019 02:52 AM
We have a supposedly DDR configured 801 router which dials out to the ISP at an average of every 15 secs. This sporadic behaviour also occurs at odd hours btw 10pm and 6am.
I really need to stop the router from dialing out in this manner as the phone bill is rather too high.
Following is the running config of the 800 router.
Building configuration...
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname bcmrouter
!
enable secret 5 $1$cC/A$wQoTZGIV5/itbbMxeHIbf/
!
!
!
!
!
ip subnet-zero
!
no ip domain-lookup
isdn switch-type basic-net3
!
!
process-max-time 200
!
interface Ethernet0
ip address 192.168.0.2 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface BRI0
ip address negotiated
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer idle-timeout 300
dialer string 08450798202
dialer hold-queue 10
dialer load-threshold 180 either
dialer-group 1
isdn switch-type basic-net3
no cdp enable
ppp authentication chap pap callin
ppp chap hostname bcm
ppp chap password 7 04550A125E2E424F05
ppp pap sent-username bcm password 7 082F4D5A58160B161E
ppp multilink
!
ip nat inside source list 100 interface BRI0 overload
ip nat inside source static tcp 192.168.0.1 25 212.188.176.118 25 extendable
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 BRI0
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 deny udp any any eq netbios-ns
access-list 100 deny udp any any eq netbios-dgm
access-list 100 deny udp any any eq netbios-ss
access-list 100 permit tcp any any eq www
access-list 100 permit tcp host 192.168.0.1 any eq smtp
access-list 100 permit tcp host 192.168.0.1 any eq domain
access-list 100 permit ip host 192.168.0.1 any
access-list 100 permit ip 192.160.0.0 0.0.0.255 any
dialer-list 1 protocol ip list 100
!
line con 0
transport input none
stopbits 1
line vty 0 4
end
11-14-2002 05:57 AM
The last line in your access-list 100 is going to activate the dialer for any traffic not explicitly denied in the previous statements. That's probably where your problem lies. If the connection is used just for internet access remove the
access-list 100 permit ip 192.160.0.0 0.0.0.255 any
and add
access-list 100 permit tcp 192.168.0.0 255.255.255.0 any eq 443
access-list 100 permit tcp 192.168.0.0 255.255.255.0 any eq ftp
access-list 100 permit tcp 192.168.0.0 255.255.255.0 any eq (any other ports you really need)
This should eliminate your unwanted dialer activations. You can of course modify the access list to your particular needs.
Bob
11-14-2002 08:41 AM
I have re -edited the access-list as below, (ignore the access-list 1)
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 deny udp any any eq netbios-ns
access-list 100 deny udp any any eq netbios-dgm
access-list 100 deny udp any any eq netbios-ss
access-list 100 permit tcp any any eq www
access-list 100 permit tcp host 192.168.0.1 any eq smtp
access-list 100 permit tcp host 192.168.0.1 any eq domain
access-list 100 permit ip host 192.168.0.1 any
I realise that without the last entry of '100 permit ip host 192.168.0.1 any' no one can access the internet. The 192.168.0.1 is the proxy server.
What else do I need to add to allow http traffic and remove last line on access-list?
11-14-2002 09:03 AM
I have re -edited the access-list as below, (ignore the access-list 1)
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 deny udp any any eq netbios-ns
access-list 100 deny udp any any eq netbios-dgm
access-list 100 deny udp any any eq netbios-ss
access-list 100 permit tcp any any eq www
access-list 100 permit tcp host 192.168.0.1 any eq smtp
access-list 100 permit tcp host 192.168.0.1 any eq domain
access-list 100 permit ip host 192.168.0.1 any
I realise that without the last entry of '100 permit ip host 192.168.0.1 any' no one can access the internet. The 192.168.0.1 is the proxy server.
What else do I need to add to allow http traffic and remove last line on access-list?
11-14-2002 09:43 AM
the line that reads
access-list 100 permit tcp any any eq www
is all that's needed to permit web traffic. For DNS lookups you may want to add
access-list 100 permit udp host 192.168.0.1 any eq domain
for secure web site access you will neeed
access-list 100 permit tcp host 192.168.0.1 any eq 443
and that should be it.
11-14-2002 09:52 AM
I noticed something else that may be causing a little confusion as well. Your using the same access-list 100 as both the nat source and dialer list. Use another list for your NAT. acccess-list 1 would work well for this.
ip nat inside source list 1 interface BRI0 overload
That done, I think everything will work fine.
Bob
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: