Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
2
Replies

Access lists problem in Cisco 801

kaustavcisco
Level 1
Level 1

‎01-23-2002 03:36 AM - edited ‎03-01-2019 08:10 PM

Hi,

I recently configured a Cisco 801 with a scenarioas follows:

Router 801 is connecting to the internet via easy IP configuration. The dialer 1 is getting the IP from the ISP ,BRI 0 has no ip address , NAT is on. I have given a access-list standard .The configurations I made are included below:

Username: ÿÿalh1

Password:

alh1>en

Password:

alh1#sh run

Building configuration...

Current configuration:

!

version 12.0

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname alh1

!

logging buffered 8192 debugging

enable secret 5 $1$zonS$nWY3EbiPDzsxALwNAQIsA/

username alh1 password 7 1511021F07257A

ip subnet-zero

no ip source-route

isdn switch-type basic-net3

interface Ethernet

interface Ethernet0

ip address 128.127.20.121 255.255.0.0

no ip directed-broadcast

no ip proxy-arp

ip nat inside

!

interface BRI0

no ip address

no ip directed-broadcast

encapsulation ppp

dialer pool-member 1

isdn switch-type basic-net3

ppp authentication chap pap callin

ppp multilink

!

interface Dialer1

description ISP

ip address negotiated

no ip directed-broadcast

no ip proxy-arp

ip nat outside

encapsulation ppp

no ip split-horizon

dialer remote-name Cisco1

dialer idle-timeout 300

dialer string 0803630000 class DialClass

dialer string 0803631000 class DialClass

dialer hold-queue 10

dialer load-threshold 10 either

dialer pool 1

dialer-group 1

pulse-time 0

ppp authentication chap pap callin

ppp chap hostname alh1isdn

ppp chap password 7 047F3927280E621F5B

ppp pap sent-username alh1isdn password 7 1536392D230505757A

ppp multilink

!

ip nat inside source list 18 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

map-class dialer DialClass

access-list 18 permit 128.127.0.0 0.0.255.255

dialer-list 1 protocol ip permit

line con 0

exec-timeout 120 0

transport input none

stopbits 1

line vty 0 4

exec-timeout 0 0

login local

I tried to put in the access lists single hosts like

access-list 18 permit host 128.127.20.1

for 5 hosts only removing the access-list 128.127.0.0 0.0.255.255 for controlling the internet access. The interface was found to be not dialing to the ISP ..

What can be problem any help?

Labels:
0 Helpful
2 Replies 2

jduffek
Level 1
Level 1

‎01-25-2002 11:58 PM

Well if your router is not dialing we shouldn't worry about ACLs, unless they are applied to your dialer-list...which they are not.

I would run:

config t

service timestamp debug datetime msec

access-list 150 permit icmp any host 1.1.1.1

end

sh ver | i IOS

sh dialer int dialer1

sh isdn stat

sh int dialer1

debug dialer

debug ip pack 150

debug isdn q931

debug ppp nego

term mon

ping 1.1.1.1 (should be already routed to dialer1)

When you ping 1.1.1.1 the ios *should* route the packet out your point-to-point dialer1 interface. Then it will look at dial-group/list 1 to make sure it is interesting traffic, which it is, so this should bring up a dial. Then isdn should tx a setup for the number in your first dialer string. Which will then also, do nothing becuse your map-class dialclass has nothing in it. Then you should eventually get a rx connect and tx a connect ack, all at the q931 layer. After that ppp will try to negotiate and your ddr code should automagically bind the call to your only dialer profile, should. PPP should negotiate multilink and an authentication protocol. Then LCP will open. After that we move to authentication, if there is aaa on the NAS side we might have to look at how that is working. If authentication succeds then we move to NCP. We should send IPCP config requests(IPCP: O CONFREQ address: 0.0.0.0, or something like that). If the peer naks that request with a proper address for us to use and we agree with what they are using on their side ipcp should open. Then, proper routing and nat should work....that is another bunch of processes I don't want to get into because that is not the problem at hand(looks configured right to me).

Debug ip nat if not...

12.0 might not have certain bug fixes that you need...just a thought.

Josh

0 Helpful

kaustavcisco
Level 1
Level 1
In response to jduffek

‎01-27-2002 11:08 PM

Thanx,

I shall check into what u said.. I shall get back to you in need.

Regds/

kaustavcisco

0 Helpful
Customers Also Viewed These Support Documents