sorry for not posting the config. here is the config

hostname immexrtr

!

enable secret 5 $1$XqtN$nedhsBKJzE6/WLNI6ETMe0

!

ip subnet-zero

!

no ip domain-lookup

isdn switch-type basic-net3

!

!

!

interface Ethernet0

ip address 192.168.10.110 255.255.255.0

ip nat inside

no cdp enable

interface BRI0

no ip address

encapsulation ppp

no keepalive

dialer pool-member 1

isdn switch-type basic-net3

no fair-queue

no cdp enable

ppp authentication pap callin

!

interface Dialer1

description CONNECTION TO INTERNET

ip address negotiated

ip nat outside

encapsulation ppp

no keepalive

dialer pool 1

dialer idle-timeout 5

dialer string xxxxxx

dialer hold-queue 90

dialer-group 1

no fair-queue

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxxxx password xxxxxxx

!

ip nat inside source list 100 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

!

!

access-list 100 permit ip any any

dialer-list 1 protocol ip permit

no cdp run

!

With this coniguration, any IP packet routed to dialer interface will trigger. Are you sure there's no incoming traffic to e0?

yes, i am sure, since i have a firewall connected behind it and the pc has the gateway of the firewall. so when they connect to their browser, the router connects. but when the browser is closed, even then the line comes up automatically, i mean to say since there is no internet activity ther should be no traffic.

Is there any way to stop this situation. since our internet access is very expensive

the firewall config is below :

nterface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxx

passwd xxx

hostname immexfw

domain-name immexcourier.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

mtu outside 1500

mtu inside 1500

ip address outside 192.168.10.250 255.255.255.0

ip address inside 192.168.0.251 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.10.110 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

elnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxx

immexfw#

If your main traffic for the internet is web, you can try to use a more specific dialer-list. For example

dialer-list 1 protocol ip list 101

access-list 101 permit tcp any any eq www

This way you can understand whether another type of traffic is triggering the dialer or not.

Regards.

my main trafic will be web and mails from exchange

so what will be my access-list for web and mails

so shall i change my

access-list 100 permit ip any any

dialer-list 1 protocol ip permit

thanks

You can use dialer-list above for test or (I'm assuming excgange server is at your site) extend the accesslist

access-list 101 permit tcp any any eq www

access-list 101 permit ip host X.X.X.X any

X.X.X.X:Your exchange server.

With this ACL, any traffic to a port 80 or any traffic originating from your exchange server will trigger the dialer.

Regards.

now my access list has become

ccess-list 100 permit ip any any

access-list 101 permit tcp any any eq www

access-list 101 permit ip host 192.168.0.250 any

dialer-list 1 protocol ip permit

is it right ?

if i change

dialer-list 1 protocol ip list 101

my router disconnects & doesnt comeup even if i try to browse the net.

dialer-list statement certainly should be changed, this way you can differentiate the interesting traffic. Apply dialer-list 1 protocol ip list 101 and use "debug dialer events" and "debug dialer packets" commands to monitor dialer activities. You can send output of these debugs.

Regards.

ok i change the dialer-list statement. As soon as i did my internet connection disconnected and router is not comming up. i am pasting the debug

01:19:16: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.6), 68 bytes, outgoing unin

teresting (list 101)

01:19:17: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.6), 68 bytes, outgoing unin

teresting (list 101)

01:19:19: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.6), 68 bytes, outgoing unin

teresting (list 101)

01:19:21: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.6), 68 bytes, outgoing unin

teresting (list 101)

01:19:21: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.7), 68 bytes, outgoing unin

teresting (list 101)

01:19:22: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.7), 68 bytes, outgoing unin

teresting (list 101)

01:19:24: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.7), 68 bytes, outgoing unin

teresting (list 101)

01:19:25: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.6), 68 bytes, outgoing unin

teresting (list 101)

01:19:26: Di1 DDR: ip (s=192.168.10.250, d=194.170.1.7), 68 bytes, outgoing unin

teresting (list 101)

Are these destinations (194.170.1.6 and 7) web destinations? I can't connect port 80 of them (Or do you know what application is running on these hosts?). Have you got debugs for a web destination?

194.170.1.6 & 7 are the dns of the ISP. We normally connects the internet through proxy. http://proxy1.emirates.net.ae

but things work fine if i say

dailer list 1 protocol ip permit

You're right, i hadn't thought about DNS. Let's modify the ACL:

access-list 101 permit tcp any any eq domain

access-list 101 permit tcp any any eq www

access-list 101 permit ip X.X.X.X any

Could you try?

Best Regards.

Still not working

my access-list is now

access-list 101 permit tcp any any eq www

access-list 101 permit ip host 192.168.0.250 any

access-list 101 permit tcp any any eq domain

dialer-list 1 protocol ip list 101

debug output is

4:32:07: Di1 DDR: ip (s=192.168.10.250, d=195.229.240.67), 48 bytes, outgoing u

ninteresting (list 101)

04:32:14: Di1 DDR: ip (s=192.168.10.250, d=195.229.240.67), 48 bytes, outgoing u

ninteresting (list 101)

04:32:24: Di1 DDR: ip (s=192.168.10.250, d=195.229.240.67), 48 bytes, outgoing u

ninteresting (list 101)

04:32:28: Di1 DDR: ip (s=192.168.10.250, d=195.229.240.67), 48 bytes, outgoing u

ninteresting (list 101)

04:32:32: Di1 DDR: ip (s=217.165.5.152, d=195.229.240.67), 241 bytes, outgoing u

ninteresting (list 101)

04:32:34: Di1 DDR: ip (s=192.168.10.250, d=195.229.240.67), 48 bytes, outgoing u

ninteresting (list 101)