11-06-2002 08:16 AM - edited 03-02-2019 02:41 AM
I've got a customer using a 3660 connecting to 11 sites using a combination of point to point and frame-relay connections. Each of the remote sites has a router installed with a WIC-T1, and an ISDN module to be used for backup.
My goal is to have the remote site dial the PRI plugged into the NM-1CT1 channelized PRI network module of the 3660 when it's primary WAN connection fails, and then have the 3660 initiate a call back to the remote site for security purposes. We need to run 3DES across this as well.
If anyone has seen a config similar to this on CCO, or happened to have done something similar themselves your input would be appreciated.
Bob
11-06-2002 08:52 AM
On the PRI side,
username Remote1 password cisco
username Remote2 password cisco
username Remote3 password cisco
username Remote4 password cisco
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24
interface Serial0:23
ip unnumbered fa0/0 - this will save you ip address
encapsulation ppp
no ip route-cache
dialer idle-timeout 3600
dialer-group 1
isdn switch-type <>i
isdn incoming-voice modem
ppp callback accept --------------- This accepts a callback request
ppp authentication chap
ppp chap hostname HQ
ppp chap password xxx
ppp multilink
On the remote side.
username HQ password xxx
interface BRI0
ip unnumbered Ethernet0 - this will save you ip addresses
no ip directed-broadcast
encapsulation ppp
isdn spid1
isdn spid2
dialer idle-timeout xxx - set to a higher value
dialer string
dialer-group 1
ppp callback request ---- requests callback.
ppp authentication chap
ppp chap hostname Remote1
ppp chap password cisco
ip route 0.0.0.0 0.0.0.0 bri 0/0
Also you can additionally use a routing protocol such as eigrp for routing over FR and ISDN. This might help!
11-06-2002 09:40 AM
Thanks for the input. It looks easy enough, but how's it going to know which number to call? I've got 11 sites that could be coming in. Does the ppp callback request send this information to the 3660?
I'm running static routes at all locations, so will be using a weighted route for the ISDN connection.
I assume adding encryption will be just a matter of applying the crypto map to the BRI interface at the remotes and all channels of the PRI at the core.
All great info. Thanks for your input!
Bob
11-06-2002 10:22 AM
One way to do it is to use dialer maps for each remote site, with the call back string in it. mapped to the corresponding ip address of the remote site.
Another way to do this is to use, AAA for ISDN authentication, and configure the call back string on the AAA configuration file.
A sample Freeware TACACS+ configuration would look like this,
user = Remote1
{
default service = permit
login = cleartext "cisco" chap = cleartext "cisco"
service = ppp protocol = lcp
{
callback-dialstring = "xxxxxxxxx"
send-secret = "cisco"
}
}
You can enable ISDN authentication requests to be sent to TACACS or RADIuS server using AAA.
AAA new-model - enables AAA
aaa authentication login ISDN_AUTH group tacacs+
int s0:23
ppp authentication chap ISDN_AUTH
tacacs-server host
tacacs-server key
11-06-2002 12:11 PM
If I setup the dialer map, I still don't think I will have any way of knowing who is dialing in initially. To keep authentication local to the router though, I did a little digging and camp up with the commands...
user
user
user
I'm thinking that I should be able to use some combination of these commands to get my dial-back talking to the correct router and using the PRI for the outbound calls. I've not used these particular switches on the user command though and don't know if they would really work for what I want. I'll do a little more digging on my end to see if their use here would be appropriate, and any input you might have would be appreciated as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide