From: Erick B. (erickbe@xxxxxxxxx)
Date: Fri Dec 01 2000 - 10:55:57 GMT-3
No problem. On a related note, I noticed in 12.1(5)T
they added a option to the dialer idle-timeout command
so inbound traffic only resets counter.
ie: dialer idle-timeout <secs> [inbound | either]
--- Stan Buskus <stan.buskus@att.net> wrote:
> Sure enough. Once I created an access-list with the
> ISP's subnet assigned to my dialer interface the
> idle-timeout resets. Much thanks for everyone's
help.
>
> "Erick B." wrote:
>
> > The dialer routines probably use the IP address
> > assigned to the interface. I believe NAT may take
> > place before the interface/dialer stuff checks
> ACLs.
> > Try pointing your dialer-list to another ACL with
> the
> > subnet range(s) the ISP is using for dialup. I
> realize
> > your getting the IP dynamically.
> >
> > As for 1 ACL entry only getting hits... I think
> the
> > NAT traffic matched that ACL entry. Those are all
> > private ranges so if the negoagated address was in
> > those ranges it should have hit on those as well.
> > Thats if my thinking is correct on how dialer
> routines
> > use ACLs for interesting traffic (above).
> >
> > Let us know what the fix is if you find out.
> >
> > --- Stan Buskus <stan.buskus@att.net> wrote:
> > > Hi Everyone,
> > > I'm having a problem with a access list that is
> used
> > > for both
> > > dialer-list and NAT command. I have a router
> that
> > > dials an ISP over a
> > > modem, and everything works fine except dialer
> > > idle-timeout never resets
> > > with interesting traffic. It appears that when
> the
> > > connection is
> > > established and the NAT translation is created,
> the
> > > access-list is only
> > > enabled for NAT and not the dialer-list. Since
> the
> > > dialer list never
> > > resets the idle time-out, my connection drops
> after
> > > the idle time-out
> > > expires.
> > >
> > > I tried using to separate access-list for the
> NAT
> > > and dialer list, but
> > > still is doesn't work. I also tried using the
> > > route-map for NAT and
> > > still the same problem. I happened to notice
> that
> > > when I have two
> > > identical access list (I know I would never need
> two
> > > identical lists),
> > > and i run "sh ip access", only one of the
> > > access-list shows a match. I
> > > always assumed the router would process all the
> > > lists for a given
> > > interface.
> > >
> > > Anyway, I finally changed the dialer list
> command to
> > > "dialer-list 1
> > > protocol ip permit" and everything works.
> However,
> > > I feel a access-list
> > > should be used more than once in a
> configuration.
> > > Does anyone have any
> > > thoughts?
> > >
> > > Here is part of my config.
> > >
> > >
> > > interface Dialer1
> > > ip address negotiated previous
> > > ip nat outside
> > > encapsulation ppp
> > > dialer remote-name Internet
> > > dialer pool 1
> > > dialer idle-timeout 3600
> > > dialer string 9999999 modem-script dialnum
> > > dialer hold-queue 100
> > > dialer-group 1
> > > no cdp enable
> > > ppp authentication chap callin
> > > ppp chap hostname ISP
> > > ppp chap password 7 XXXXXXXXXXXXXXXX
> > >
> > > ip nat inside source list 101 interface Dialer1
> > > overload
> > >
> > > access-list 101 permit ip 192.168.1.0 0.0.0.255
> any
> > > access-list 101 permit ip 10.0.0.0 0.255.255.255
> any
> > > access-list 101 permit ip 172.16.0.0 0.0.255.255
> any
> > > dialer-list 1 protocol ip list 101
> > >
> > > Stan Buskus
> > >
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:57 GMT-3