12-30-2003 05:05 AM - edited 03-02-2019 12:36 PM
Hi,
can any one help me controlling my ISDN router to Dial only for the interesting traffic.
I have the following access list below which doesnt work.
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any any eq 8080
access-list 101 permit ip host 192.168.0.250 any
dialer-list 1 protocol ip list 101
and if i change the ACL to
access-list 100 permit ip any any
dialer-list 1 protocol ip permit.
things work fine but router is always on despite the command idle-timout 60
The PIX is connected to the router.
Even if i remove PIX from the network there is some traffic from the PIX that makes BRI0 always on.
The IP address as follows
PIX : E1=192.168.0.251 E0=192.168.10.250
ROuter : E0=192.168.10.110
Exchange Server : 192.168.0.250.
We connect to internet via proxy : proxy1.emirates.net.ae :8080
Below the debug output for the Dialer events
when i change the dialer-list to 101 the bri goes down & this is the debug command for dialer events
14:51:22: BR0:1 DDR: idle timeout
14:51:22: BR0:1 DDR: disconnecting call
14:51:22: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from 4004444 dxbmmp
, call lasted 1496 seconds
14:51:22: Di1 DDR: No bundle in dialer_fsm_up
14:51:22: Di1 DDR: No bundle in dialer_fsm_up
14:51:22: Di1 DDR: No bundle in dialer_fsm_up
14:51:22: Di1 DDR: No bundle in dialer_fsm_up
14:51:95415384114: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
14:51:94491146244: BR0 DDR: has total 0 call(s), dial_out 0, dial_in 0
14:51:94491053587: BR0:1 DDR: disconnecting call
14:51:94489281195: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
14:51:22: BR0:1 DDR: disconnecting call
14:51:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state
to down
when i change dialer-list to 100 instead of 101, the bri comes up and the debug result is
BR0 DDR: rotor dialout [priority]
14:52:39: BR0 DDR: Dialing cause ip (s=192.168.10.250, d=188.104.209.252)
14:52:39: BR0 DDR: Attempting to dial 4004444
14:52:171798691840: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
14:52:171807073788: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
14:52:46: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 4004444
14:52:210453397504: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from 4004
444 , call lasted 9 seconds
14:52:210453397504: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
14:52:210455263236: BR0 DDR: has total 0 call(s), dial_out 0, dial_in 0
14:52:210455170579: BR0:1 DDR: disconnecting call
14:52:210453398187: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
14:52:210503729152: DDR: Call disconnected, 3 packets unqueued and discarded
14:52:49: BR0:1 DDR: disconnecting call
14:52:49: BR0 DDR: rotor dialout [priority]
14:52:49: BR0 DDR: Dialing cause ip (s=192.168.10.250, d=24.106.68.255)
14:52:49: BR0 DDR: Attempting to dial 4004444
14:52:219043332096: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
14:52:219051714044: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
14:52:52: BR0:1 DDR: dialer protocol up
14:52:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state
to up
14:52:57: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 4004444 dxbmmp
12-30-2003 05:47 AM
With the first ACL 101, only the statements that the 101 has defined will be interesting. If there is no interesting traffic, the call will drop after the idle timeout expires. In the second case, the ISDN stays up all the time since you have a dialer list that says to permit all ip (its not attached to an ACL even if you have it defined in there) Hence all ip traffic is interesting and the ISDN will stay up all the time. Idle timeout does not matter here cause all and any traffic is interesting.
12-30-2003 11:55 PM
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any any eq 8080
access-list 101 permit ip host 192.168.0.250 any
dialer-list 1 protocol ip list 101
The above ACL works fine if the router is directly connected to the switch. But if i connect a firewall then router doesnt comeup once disconnected.
12-31-2003 01:34 AM
Hi,
Could you please give, what's your requirement, i mean which traffic you want to allow. Because now you are allowing only DNS,traffic to 8080 port and from your exchange server. And please tell me on which direction you are applying this ACL for BRI.
If it's not working after connecting PIX firewall, then the problem is router is not receiving any traffic from PIX. Please check PIX configuration.
Regards...
Ashok.
12-31-2003 04:31 AM
Things works fine when there is no ACL i.e
dialer-list 1 protocol ip permit.
So there is no point that router is not receiving traffic from the PIX. The problem only comes when i define ACL like for ex.
access-list 101 permit tcp any any eq www
access-list 101 permit ip host 192.168.0.250 any
dialer-list 1 protocol ip list 101
12-31-2003 08:21 AM
change the last line in acl 101 to
access-list 101 permit ip any any
or
access-list 101 permit ip any any log
the log keyword will give you SA & DA as well as the port they are connecting to .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide