Solved: access list on ISDN

yelynntun · ‎09-09-2009

Hello,

Is there any way to permit only some IP can initiate the ISDN call ?

I've two internet connections, one through VSAT and other using ISDN.

I just want to allow a few people to use isdn when the VSAT connection is down.

Below is my configuration.

I can't get connected when I use dialer-group 2 in BRI interface.

Anyway to solve ?

thank you

interface FastEthernet0/0

description Connected_to_VSAT

ip address 192.168.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description Connected_to_LAN

ip address 192.168.6.3 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface BRI0/0/0

description Connected_to_ISDN

bandwidth 64

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer idle-timeout 180

dialer string "67#"

dialer-group 2

isdn switch-type vn3

isdn point-to-point-setup

ppp authentication pap callin

ppp pap sent-username abcdef password 0 abcdef

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip route 0.0.0.0 0.0.0.0 BRI0/0/0 200

!

ip nat inside source list 10 interface FastEthernet0/0 overload

ip nat inside source list 11 interface BRI0/0/0 overload

!

access-list 10 permit 192.168.6.0 0.0.0.255

access-list 11 permit 192.168.6.0 0.0.0.255

access-list 101 permit ip 192.168.6.32 0.0.0.8 any

dialer-list 2 protocol ip list 101

dialer-list 1 protocol ip permit

Richard Burts · ‎09-09-2009

ye

The problem with dialer-group 2 is the mask used in access list 101 (permit ip 192.168.6.32 0.0.0.8). With this mask there are only 2 addresses that are permitted (and these are 192.168.6.32 and 192.168.6.40). Unless you are testing from one of these addresses you will not be able to initiate calls on the BRI. I am not sure who you want to permit and so can not suggest what mask would be appropriate.

There is some ambiguity in your question. At first you say:"only some IP can initiate the ISDN call" but then you say:"I just want to allow a few people to use isdn". The dialer group will control who can initiate the BRI (and satisfy your first requirement). But once the BRI is up, then anyone can use it. If you really mean that only a few people can use the ISDN, then dialer group is not the mechanism that you need to use. To really control who can use the BRI you need an outbound access list on the BRI interface which will permit only the addresses that you specify.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎09-09-2009

ye

The problem with dialer-group 2 is the mask used in access list 101 (permit ip 192.168.6.32 0.0.0.8). With this mask there are only 2 addresses that are permitted (and these are 192.168.6.32 and 192.168.6.40). Unless you are testing from one of these addresses you will not be able to initiate calls on the BRI. I am not sure who you want to permit and so can not suggest what mask would be appropriate.

There is some ambiguity in your question. At first you say:"only some IP can initiate the ISDN call" but then you say:"I just want to allow a few people to use isdn". The dialer group will control who can initiate the BRI (and satisfy your first requirement). But once the BRI is up, then anyone can use it. If you really mean that only a few people can use the ISDN, then dialer group is not the mechanism that you need to use. To really control who can use the BRI you need an outbound access list on the BRI interface which will permit only the addresses that you specify.

HTH

Rick

HTH

Rick

yelynntun · ‎09-09-2009

Thank you so much Rick,

i didn't really know everyone can use when bri is up.

Actually i only want some IP (people) to access through ISDN line.

Would this work Rick ??

interface BRI0/0/0

ip access-group 101 out

dialer-group 2

access-list 101 permit ip 192.168.6.32 0.0.0.7 any

dialer-list 2 protocol ip list 101

Thanks & regards

Ye

Richard Burts · ‎09-09-2009

Ye

Yes what you have posted should work. Access list 101 will be used for both control of what can bring up the interface (dialer-list) and will also control who can send packets over the interface (access-group).

It is sometimes not well understood but it is true that the dialer-group/dialer-list only controls what will bring up the ISDN (and what interesting traffic will reset the inactivity timer). But once the ISDN is up and active then anyone can use it if there is no access-list/access-group on the interface.

HTH

Rick

HTH

Rick

yelynntun · ‎09-09-2009

Hi Rick

It's working to control to initiate the ISDN call with ACL.

But when I apply any ACL on bri outbound, I can't surf the internet eventhough the BRI is up.

here's my complete configuration.

I tried a few ACL on BRI but still can't accomplish.

ip sla monitor 2

type echo protocol ipIcmpEcho 4.2.2.1 source-interface FastEthernet0/0

timeout 1000

threshold 300

frequency 10

ip sla monitor schedule 2 life forever start-time now

!

isdn switch-type vn3

!

track 102 rtr 2 reachability

!

interface FastEthernet0/0

description Connected_to_VSAT

ip address 192.168.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no keepalive

!

interface FastEthernet0/1

description Connected_to_LAN

ip address 192.168.6.3 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface BRI0/0/0

description Connected_to_ISDN

bandwidth 64

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer idle-timeout 180

dialer string "67#"

dialer-group 20

isdn switch-type vn3

isdn point-to-point-setup

ppp authentication pap callin

ppp pap sent-username test password 0 test

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 track 102

ip route 0.0.0.0 0.0.0.0 BRI0/0/0 250

!

ip nat inside source route-map fleet interface BRI0/0/0 overload

ip nat inside source route-map vsat interface FastEthernet0/0 overload

!

access-list 10 permit 192.168.6.0 0.0.0.255

access-list 11 permit 192.168.6.32 0.0.0.7

access-list 101 deny udp 192.168.6.0 0.0.0.255 any eq domain

access-list 101 permit ip 192.168.6.32 0.0.0.7 any

access-list 133 permit ip host 192.168.6.32 any

access-list 133 permit ip host 192.168.6.39 any

access-list 150 permit tcp 192.168.6.32 0.0.0.7 any eq www

access-list 150 permit udp 192.168.6.32 0.0.0.7 any

access-list 150 permit ip 192.168.6.32 0.0.0.7 any

access-list 150 permit tcp any 192.168.6.32 0.0.0.7 eq www

access-list 150 permit udp any 192.168.6.32 0.0.0.7

access-list 150 permit ip any 192.168.6.32 0.0.0.7

dialer-list 1 protocol ip permit

dialer-list 20 protocol ip list 101

!

route-map vsat permit 10

match ip address 10

match interface FastEthernet0/0

!

route-map fleet permit 10

match ip address 10

match interface BRI0/0/0

best regards

Ye

Richard Burts · ‎09-10-2009

Ye

I have a couple of questions to try to understand the situation better:

- you say you can not surf the Internet when you apply an access list to the BRI. If you remove the access list is surf the Internet successful?

- in your previous post you were using an extended access list with permit ip 192.168.6.32 0.0.0.7 any. Does the behavior change if you make it a standard access list instead of extended? Something like permit 192.168.6.32 0.0.0.7?

HTH

Rick

HTH

Rick