09-09-2009 06:21 AM
Hello,
Is there any way to permit only some IP can initiate the ISDN call ?
I've two internet connections, one through VSAT and other using ISDN.
I just want to allow a few people to use isdn when the VSAT connection is down.
Below is my configuration.
I can't get connected when I use dialer-group 2 in BRI interface.
Anyway to solve ?
thank you
interface FastEthernet0/0
description Connected_to_VSAT
ip address 192.168.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Connected_to_LAN
ip address 192.168.6.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0/0/0
description Connected_to_ISDN
bandwidth 64
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer idle-timeout 180
dialer string "67#"
dialer-group 2
isdn switch-type vn3
isdn point-to-point-setup
ppp authentication pap callin
ppp pap sent-username abcdef password 0 abcdef
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 0.0.0.0 0.0.0.0 BRI0/0/0 200
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source list 11 interface BRI0/0/0 overload
!
access-list 10 permit 192.168.6.0 0.0.0.255
access-list 11 permit 192.168.6.0 0.0.0.255
access-list 101 permit ip 192.168.6.32 0.0.0.8 any
dialer-list 2 protocol ip list 101
dialer-list 1 protocol ip permit
Solved! Go to Solution.
09-09-2009 07:08 AM
ye
The problem with dialer-group 2 is the mask used in access list 101 (permit ip 192.168.6.32 0.0.0.8). With this mask there are only 2 addresses that are permitted (and these are 192.168.6.32 and 192.168.6.40). Unless you are testing from one of these addresses you will not be able to initiate calls on the BRI. I am not sure who you want to permit and so can not suggest what mask would be appropriate.
There is some ambiguity in your question. At first you say:"only some IP can initiate the ISDN call" but then you say:"I just want to allow a few people to use isdn". The dialer group will control who can initiate the BRI (and satisfy your first requirement). But once the BRI is up, then anyone can use it. If you really mean that only a few people can use the ISDN, then dialer group is not the mechanism that you need to use. To really control who can use the BRI you need an outbound access list on the BRI interface which will permit only the addresses that you specify.
HTH
Rick
09-09-2009 07:08 AM
ye
The problem with dialer-group 2 is the mask used in access list 101 (permit ip 192.168.6.32 0.0.0.8). With this mask there are only 2 addresses that are permitted (and these are 192.168.6.32 and 192.168.6.40). Unless you are testing from one of these addresses you will not be able to initiate calls on the BRI. I am not sure who you want to permit and so can not suggest what mask would be appropriate.
There is some ambiguity in your question. At first you say:"only some IP can initiate the ISDN call" but then you say:"I just want to allow a few people to use isdn". The dialer group will control who can initiate the BRI (and satisfy your first requirement). But once the BRI is up, then anyone can use it. If you really mean that only a few people can use the ISDN, then dialer group is not the mechanism that you need to use. To really control who can use the BRI you need an outbound access list on the BRI interface which will permit only the addresses that you specify.
HTH
Rick
09-09-2009 07:41 AM
Thank you so much Rick,
i didn't really know everyone can use when bri is up.
Actually i only want some IP (people) to access through ISDN line.
Would this work Rick ??
interface BRI0/0/0
ip access-group 101 out
dialer-group 2
access-list 101 permit ip 192.168.6.32 0.0.0.7 any
dialer-list 2 protocol ip list 101
Thanks & regards
Ye
09-09-2009 08:41 AM
Ye
Yes what you have posted should work. Access list 101 will be used for both control of what can bring up the interface (dialer-list) and will also control who can send packets over the interface (access-group).
It is sometimes not well understood but it is true that the dialer-group/dialer-list only controls what will bring up the ISDN (and what interesting traffic will reset the inactivity timer). But once the ISDN is up and active then anyone can use it if there is no access-list/access-group on the interface.
HTH
Rick
09-09-2009 07:12 PM
Hi Rick
It's working to control to initiate the ISDN call with ACL.
But when I apply any ACL on bri outbound, I can't surf the internet eventhough the BRI is up.
here's my complete configuration.
I tried a few ACL on BRI but still can't accomplish.
ip sla monitor 2
type echo protocol ipIcmpEcho 4.2.2.1 source-interface FastEthernet0/0
timeout 1000
threshold 300
frequency 10
ip sla monitor schedule 2 life forever start-time now
!
isdn switch-type vn3
!
track 102 rtr 2 reachability
!
interface FastEthernet0/0
description Connected_to_VSAT
ip address 192.168.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no keepalive
!
interface FastEthernet0/1
description Connected_to_LAN
ip address 192.168.6.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0/0/0
description Connected_to_ISDN
bandwidth 64
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer idle-timeout 180
dialer string "67#"
dialer-group 20
isdn switch-type vn3
isdn point-to-point-setup
ppp authentication pap callin
ppp pap sent-username test password 0 test
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 track 102
ip route 0.0.0.0 0.0.0.0 BRI0/0/0 250
!
ip nat inside source route-map fleet interface BRI0/0/0 overload
ip nat inside source route-map vsat interface FastEthernet0/0 overload
!
access-list 10 permit 192.168.6.0 0.0.0.255
access-list 11 permit 192.168.6.32 0.0.0.7
access-list 101 deny udp 192.168.6.0 0.0.0.255 any eq domain
access-list 101 permit ip 192.168.6.32 0.0.0.7 any
access-list 133 permit ip host 192.168.6.32 any
access-list 133 permit ip host 192.168.6.39 any
access-list 150 permit tcp 192.168.6.32 0.0.0.7 any eq www
access-list 150 permit udp 192.168.6.32 0.0.0.7 any
access-list 150 permit ip 192.168.6.32 0.0.0.7 any
access-list 150 permit tcp any 192.168.6.32 0.0.0.7 eq www
access-list 150 permit udp any 192.168.6.32 0.0.0.7
access-list 150 permit ip any 192.168.6.32 0.0.0.7
dialer-list 1 protocol ip permit
dialer-list 20 protocol ip list 101
!
route-map vsat permit 10
match ip address 10
match interface FastEthernet0/0
!
route-map fleet permit 10
match ip address 10
match interface BRI0/0/0
best regards
Ye
09-10-2009 04:14 AM
Ye
I have a couple of questions to try to understand the situation better:
- you say you can not surf the Internet when you apply an access list to the BRI. If you remove the access list is surf the Internet successful?
- in your previous post you were using an extended access list with permit ip 192.168.6.32 0.0.0.7 any. Does the behavior change if you make it a standard access list instead of extended? Something like permit 192.168.6.32 0.0.0.7?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide