12-28-2003 02:53 AM - edited 03-02-2019 12:34 PM
12-28-2003 10:02 AM
Hello,
can you post the configuration of the ISDN router that connects automatically ? It could be a routing protocol (like OSPF) causing interesting traffic to bring up the link...hard to say. Do a debug dialer events to see what causes the link to come up.
Regards,
Georg
12-28-2003 09:35 PM
sorry for not posting the config. here is the config
hostname immexrtr
!
enable secret 5 $1$XqtN$nedhsBKJzE6/WLNI6ETMe0
!
ip subnet-zero
!
no ip domain-lookup
isdn switch-type basic-net3
!
!
!
interface Ethernet0
ip address 192.168.10.110 255.255.255.0
ip nat inside
no cdp enable
interface BRI0
no ip address
encapsulation ppp
no keepalive
dialer pool-member 1
isdn switch-type basic-net3
no fair-queue
no cdp enable
ppp authentication pap callin
!
interface Dialer1
description CONNECTION TO INTERNET
ip address negotiated
ip nat outside
encapsulation ppp
no keepalive
dialer pool 1
dialer idle-timeout 5
dialer string xxxxxx
dialer hold-queue 90
dialer-group 1
no fair-queue
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxx password xxxxxxx
!
ip nat inside source list 100 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 100 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
12-28-2003 10:38 PM
With this coniguration, any IP packet routed to dialer interface will trigger. Are you sure there's no incoming traffic to e0?
12-28-2003 11:13 PM
yes, i am sure, since i have a firewall connected behind it and the pc has the gateway of the firewall. so when they connect to their browser, the router connects. but when the browser is closed, even then the line comes up automatically, i mean to say since there is no internet activity ther should be no traffic.
Is there any way to stop this situation. since our internet access is very expensive
the firewall config is below :
nterface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx
passwd xxx
hostname immexfw
domain-name immexcourier.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
mtu outside 1500
mtu inside 1500
ip address outside 192.168.10.250 255.255.255.0
ip address inside 192.168.0.251 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.10.110 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
elnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxxx
immexfw#
12-28-2003 11:35 PM
If your main traffic for the internet is web, you can try to use a more specific dialer-list. For example
dialer-list 1 protocol ip list 101
access-list 101 permit tcp any any eq www
This way you can understand whether another type of traffic is triggering the dialer or not.
Regards.
12-28-2003 11:44 PM
my main trafic will be web and mails from exchange
so what will be my access-list for web and mails
so shall i change my
access-list 100 permit ip any any
dialer-list 1 protocol ip permit
thanks
12-28-2003 11:54 PM
You can use dialer-list above for test or (I'm assuming excgange server is at your site) extend the accesslist
access-list 101 permit tcp any any eq www
access-list 101 permit ip host X.X.X.X any
X.X.X.X:Your exchange server.
With this ACL, any traffic to a port 80 or any traffic originating from your exchange server will trigger the dialer.
Regards.
12-29-2003 12:29 AM
now my access list has become
ccess-list 100 permit ip any any
access-list 101 permit tcp any any eq www
access-list 101 permit ip host 192.168.0.250 any
dialer-list 1 protocol ip permit
is it right ?
if i change
dialer-list 1 protocol ip list 101
my router disconnects & doesnt comeup even if i try to browse the net.
12-29-2003 12:41 AM
dialer-list statement certainly should be changed, this way you can differentiate the interesting traffic. Apply dialer-list 1 protocol ip list 101 and use "debug dialer events" and "debug dialer packets" commands to monitor dialer activities. You can send output of these debugs.
Regards.
12-29-2003 01:29 AM
ok i change the dialer-list statement. As soon as i did my internet connection disconnected and router is not comming up. i am pasting the debug
01:19:16: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.6), 68 bytes, outgoing unin
teresting (list 101)
01:19:17: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.6), 68 bytes, outgoing unin
teresting (list 101)
01:19:19: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.6), 68 bytes, outgoing unin
teresting (list 101)
01:19:21: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.6), 68 bytes, outgoing unin
teresting (list 101)
01:19:21: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.7), 68 bytes, outgoing unin
teresting (list 101)
01:19:22: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.7), 68 bytes, outgoing unin
teresting (list 101)
01:19:24: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.7), 68 bytes, outgoing unin
teresting (list 101)
01:19:25: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.6), 68 bytes, outgoing unin
teresting (list 101)
01:19:26: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.7), 68 bytes, outgoing unin
teresting (list 101)
12-29-2003 01:44 AM
Are these destinations (194.170.1.6 and 7) web destinations? I can't connect port 80 of them (Or do you know what application is running on these hosts?). Have you got debugs for a web destination?
12-29-2003 01:56 AM
194.170.1.6 & 7 are the dns of the ISP. We normally connects the internet through proxy. http://proxy1.emirates.net.ae
but things work fine if i say
dailer list 1 protocol ip permit
12-29-2003 02:08 AM
You're right, i hadn't thought about DNS. Let's modify the ACL:
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any any eq www
access-list 101 permit ip X.X.X.X any
Could you try?
Best Regards.
12-29-2003 04:41 AM
Still not working
my access-list is now
access-list 101 permit tcp any any eq www
access-list 101 permit ip host 192.168.0.250 any
access-list 101 permit tcp any any eq domain
dialer-list 1 protocol ip list 101
debug output is
4:32:07: Di1 DDR: ip (s=192.168.10.250, d=195.229.240.67), 48 bytes, outgoing u
ninteresting (list 101)
04:32:14: Di1 DDR: ip (s=192.168.10.250, d=195.229.240.67), 48 bytes, outgoing u
ninteresting (list 101)
04:32:24: Di1 DDR: ip (s=192.168.10.250, d=195.229.240.67), 48 bytes, outgoing u
ninteresting (list 101)
04:32:28: Di1 DDR: ip (s=192.168.10.250, d=195.229.240.67), 48 bytes, outgoing u
ninteresting (list 101)
04:32:32: Di1 DDR: ip (s=217.165.5.152, d=195.229.240.67), 241 bytes, outgoing u
ninteresting (list 101)
04:32:34: Di1 DDR: ip (s=192.168.10.250, d=195.229.240.67), 48 bytes, outgoing u
ninteresting (list 101)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide