12-18-2002 04:30 AM - edited 03-02-2019 03:41 AM
I have a problem where I need to limit outbound calls from a central site 3640 to a branch ISDN network of 160 or so Cisco 800 routers, but still maintain inbound calls. The only applications that should initiate outbound connections are the apps the helpdesk use - netmeeting, telnet, tftp and also icmp for pings and traces. I set the following extended access-list to allow this traffic and applied it to the dialer-list:
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any eq 1503
access-list 101 permit tcp any any eq 23
access-list 101 permit udp any any eq 69
access-list 101 permit icmp any any
This all works fine for outbound calls, but of course now inbound calls get disconnected after 30 secs (the dialer idle-timeout value) which is causing problems. In an ideal world I would like to be able to set the dialer idle-timeout to only apply to outbound traffic, then all my problems would be solved - but of course the command can only be configured to inbound only, or bi-directional (default) - which is pretty bizarre. I hope Cisco would consider adding outbound only interesting traffic as a feature...
If I configure:
access-list 101 permit tcp 10.1.1.0 0.0.0.255 any est
to allow established inbound call packets back out as interesting traffic, I get a load of outbound calls made, which defeats the object of using the acl in the first place.
I think that if rather than permitting established tcp packets, I add all the outbound ports that all the applications at the branches use, i.e. (for their notes replication)
access-list 101 permit tcp any 10.1.1.0 0.0.0.255 eq 1347
that may solve the problem. Has anyone else had similar experiences with such a scenario? Am I barking up the right tree here?
Any help much appreciated
TIA
Kev
12-18-2002 09:32 AM
Idle-timeout for outbound traffic is already available as new feature in ios 12.2(4)T and above..Here is the complete url explaining "Customer Profile Idle Timer Enhancements for Interesting Traffic" along with configuration
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftprfidl.htm
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide