From: Stan Buskus (stan.buskus@xxxxxxx)
Date: Fri Dec 01 2000 - 09:19:36 GMT-3
Sure enough. Once I created an access-list with the ISP's subnet
assigned to my dialer interface the idle-timeout resets. Much thanks for
everyone's help.
Stan Buskus
"Erick B." wrote:
> The dialer routines probably use the IP address
> assigned to the interface. I believe NAT may take
> place before the interface/dialer stuff checks ACLs.
> Try pointing your dialer-list to another ACL with the
> subnet range(s) the ISP is using for dialup. I realize
> your getting the IP dynamically.
>
> As for 1 ACL entry only getting hits... I think the
> NAT traffic matched that ACL entry. Those are all
> private ranges so if the negoagated address was in
> those ranges it should have hit on those as well.
> Thats if my thinking is correct on how dialer routines
> use ACLs for interesting traffic (above).
>
> Let us know what the fix is if you find out.
>
> --- Stan Buskus <stan.buskus@att.net> wrote:
> > Hi Everyone,
> > I'm having a problem with a access list that is used
> > for both
> > dialer-list and NAT command. I have a router that
> > dials an ISP over a
> > modem, and everything works fine except dialer
> > idle-timeout never resets
> > with interesting traffic. It appears that when the
> > connection is
> > established and the NAT translation is created, the
> > access-list is only
> > enabled for NAT and not the dialer-list. Since the
> > dialer list never
> > resets the idle time-out, my connection drops after
> > the idle time-out
> > expires.
> >
> > I tried using to separate access-list for the NAT
> > and dialer list, but
> > still is doesn't work. I also tried using the
> > route-map for NAT and
> > still the same problem. I happened to notice that
> > when I have two
> > identical access list (I know I would never need two
> > identical lists),
> > and i run "sh ip access", only one of the
> > access-list shows a match. I
> > always assumed the router would process all the
> > lists for a given
> > interface.
> >
> > Anyway, I finally changed the dialer list command to
> > "dialer-list 1
> > protocol ip permit" and everything works. However,
> > I feel a access-list
> > should be used more than once in a configuration.
> > Does anyone have any
> > thoughts?
> >
> > Here is part of my config.
> >
> >
> > interface Dialer1
> > ip address negotiated previous
> > ip nat outside
> > encapsulation ppp
> > dialer remote-name Internet
> > dialer pool 1
> > dialer idle-timeout 3600
> > dialer string 9999999 modem-script dialnum
> > dialer hold-queue 100
> > dialer-group 1
> > no cdp enable
> > ppp authentication chap callin
> > ppp chap hostname ISP
> > ppp chap password 7 XXXXXXXXXXXXXXXX
> >
> > ip nat inside source list 101 interface Dialer1
> > overload
> >
> > access-list 101 permit ip 192.168.1.0 0.0.0.255 any
> > access-list 101 permit ip 10.0.0.0 0.255.255.255 any
> > access-list 101 permit ip 172.16.0.0 0.0.255.255 any
> > dialer-list 1 protocol ip list 101
> >
> > Stan Buskus
> >
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:57 GMT-3