restricting ISDN PRI Dial-up access to specific IP ranges

8c-stone · ‎03-16-2002

Customer is using Win 95 clients to dial-up (using iSDN) to multiple PRI's on 3660's. Only PAP is used, they wish to restrict access to devices not configured to belong to specific IP subnets.

Obviously access-lists will prevent data being sent to them, but I need to get the call to be rejected. Without, if at all possible using any add-ons to IP+ IOS.

Anybody any ideas?

zahmed · ‎03-17-2002

Your problem description is a bit vague. You want to disconnect a call which after connecting wants to access some device , which its not authorized to ? If this is what it is, I think your manual

intervention to disconnect such a call is the only way.

~Zulfi

brian-mcmahon · ‎03-18-2002

I was confused by your problem statement, too, but let me take a crack at it. (It's a slow night in the lab.)

First, I will make the sweeping assumption that your Win95 users are dialing in, either via modem or ISDN TA, from fixed locations (e.g., home office/remote office).

I will also make the (fairly safe) assumption that you're using PPP encapsulation on the link.

Now, you can't get what you're asking for. Your question deals with IP subnets; for all practical purposes, IP doesn't exist until after PPP's IPCP negotiation has completed -- in other words, you've already accepted the call and started to bring up the line before you even know that they want to run IP!

For that matter, let's take IP out of the picture. You can't do this based on PAP authentication, either, because you don't know *that* until you've accepted the call and started PPP negotiations.

It sounds like you're describing a security requirement. Perhaps the PPP callback feature would do the sort of thing you need?

If none of this helps, you'll have to re-state your requirements in more detail.

-- Brian