×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Difference between configuring the "ip access-group" on interface Dialer an

Unanswered Question
Mar 28th, 2003
User Badges:
  • Bronze, 100 points or more

In the following configuration,


*****

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname NCR-shibuya

!

logging buffered 400000 informational

enable password xxx

!

username xxx password 0 xxx

ip subnet-zero

no ip source-route

!

!

no ip domain lookup

!

!

isdn switch-type ntt

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key xxx address x.x.x.x

!

!

crypto ipsec transform-set isdn esp-des esp-sha-hmac

!

crypto map enc 10 ipsec-isakmp

set peer x.x.x.x

set transform-set isdn

match address 150

!

!

!

!

interface BRI0

no ip address

ip access-group 110 in

no ip proxy-arp

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool-member 1

isdn switch-type ntt

no cdp enable

!

interface FastEthernet0

ip address 192.168.0.30 255.255.255.224

speed auto

no cdp enable

!

interface Dialer0

ip address negotiated

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer idle-timeout 0

dialer string 1492

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname [email protected]

ppp chap password 0 xxx

ppp pap sent-username [email protected] password 0 xxx

crypto map enc

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

!

!

access-list 110 permit ip host x.x.x.x host y.y.y.y

access-list 150 permit ip host y.y.y.y host x.x.x.x

access-list 150 permit ip 192.168.0.0 0.0.0.31 10.116.3.0 0.0.0.255

access-list 150 permit ip 192.168.0.0 0.0.0.31 10.116.2.0 0.0.0.255

access-list 150 permit ip 192.168.0.0 0.0.0.31 10.116.4.192 0.0.0.63

dialer-list 1 protocol ip permit

no cdp run

!

snmp-server community public RO

snmp-server enable traps tty

snmp-server host 10.116.2.216 public

!

line con 0

stopbits 1

line aux 0

line vty 0 4

login local

!

end

!

*****


We configure the "access-list 110" to permit the ESP and ISAKMP packets

between IPSec end points and then apply this "access-list 110" to interface

Dialer0 with "ip access-group 110 in" to pass through the interface Dialer0.


"access-list 110 permit ip host x.x.x.x host y.y.y.y" means,


x.x.x.x : IP address of remote IPSec router

(remote IPSec tunnel end point IP address)

y.y.y.y : IP address of own IPSec tunnel end point IP address


When we apply "access-list 110" to interface Dialer0 with "ip access-group

110 in", this "access-list 110" does not work. That is, we can not IPSec

communication between two IPSec routers.


However, we remove "ip access-group 110 in" from interface Dialer0 and

configure "ip access-group 110 in" on interface BRI0 instead, this

"access-list 110" work fine.

That is, we can do IPSec communication well.

Above configuration is for this case.


My question is:


In this configuration (using interface Dialer0), we must configure the

"ip access-group" on real interface (int BRI0) not logical interface (int Dialer0),

although "crypto map" is configured on logical interface (int Dialer0) not real

interface (int BRI0) ?


If so, this is the normal behavior or restriction or bug ?


Any comments would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
afakhan Fri, 03/28/2003 - 13:08
User Badges:
  • Bronze, 100 points or more

Hi,


interface Dialer0 is where you access-list should be applied to, BRI interface doesn't have any ip address associated with it.


If you can still get your tunnel up, but data doesn't pass when you the above ACL on the D0 interface, then make sure that you permit the local LANs also in the ACL#110, because IPSec packets are subject to double ACL checking (before decryption/after decryption) on the receving crypto router.


Thx

Afaq

Actions

This Discussion