06-28-2002 02:29 PM - edited 03-01-2019 11:15 PM
I need to know if it's possible to know which host of the internal network open a dialin call to ISP and connect the router to Internet. The config is:
interface Ethernet0
ip address 192.168.0.249 255.255.255.0
no ip directed-broadcast
ip nat inside
load-interval 30
no cdp enable
!
interface Dialer10
ip address 10.3.3.254 255.255.255.0
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer remote-name xxx
dialer pool 10
dialer string 1xxxxxxxx
dialer-group 5
pulse-time 0
no cdp enable
ppp authentication chap
ppp chap hostname cdfgvhg
!
dialer-list 5 protocol ip list 110
!
ip nat inside source list 110 interface Dialer9 overload
!
access-list 105 permit ip 192.168.0.0 0.0.0.255 any log
access-list 110 permit ip 192.168.0.0 0.0.0.255 any log
!
I have activated a syslog and the "debug dialer" command, but the output looks like this:
May 7 09:57:06.378: BRI0 DDR: rotor dialout [priority]
May 7 09:57:06.382: BRI0 DDR: Dialing cause ip (s=10.3.3.254, d=10.3.3.3)
May 7 09:57:06.386: BRI0 DDR: Attempting to dial 12345678
May 7 11:57:06: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 64 changed to up
May 7 09:57:06.602: BRI0: wait for isdn carrier timeout, call id=0x8001
May 7 09:57:06.606: BRI0 DDR: Attempting to dial 1xxxxxx
May 7 11:57:09: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
May 7 09:57:09.330: BRI0:1: interface must be fifo queue, force fifo
May 7 11:57:09: %DIALER-6-BIND: Interface BRI0:1 bound to profile Dialer9
May 7 09:57:09.454: BRI0:1 DDR: dialer protocol up
May 7 11:57:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up
It seems like address translation is performed before the establishment of the connection with ISP. In this way i cannot know which is the IP address of internal host, but i have to do it in order to stop undesired connection. Can you help me?
06-28-2002 02:29 PM
Enable "debug dialer" and "debug ip nat", and prior to
the dialer debug output you will see the
NAT translation debug with the inside address.
However, the NAT debug will be too chatty
to be effective (you get a lot more than
you need).
It would be best if you could identify in
advance who you want to have dialout and who
you don't, and configure your access-lists
accordingly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide