Re: What is the difference between the two destinations??

From: Tim Fletcher (tim@fletchmail.net)
Date: Mon Nov 18 2002 - 13:08:09 GMT-3

• Next message: Chuck Church: "Re: OSPF Neighbors on NBMA"
• Previous message: Fan Shan: "Ask for material about configuring bgp neighbor on tunnel"
• Maybe in reply to: Hunt Lee: "What is the difference between the two destinations??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You ACL for the crypto map (101) specifies that traffic destined for
201.0.0.0/8 will be encrypted. Once encrypted, the IPSEC header will have
a destination address of 192.168.10.1. Because this matches the ACL for
your dialer-list (101), it will bring the link up. Any other traffic,
including traffic to 200.0.0.1 will not get encrypted, so it retain it's
actual destination address, and will not bring the link up.

-tim

> access-list 101 permit ip any 201.0.0.0 0.255.255.255
> access-list 110 permit ip any host 192.168.10.1

On Mon, 18 Nov 2002, Hunt Lee wrote:

> 200.0.0.1/32
> /
> R1 ----- ISDN ------ R2
> \
> 201.0.0.1/32
>
>
> R1 dialer int: 192.168.10.2 (assigned by a IP Pool from R2)
> R2 Bri 0 int: 192.168.10.1
>
> There is an IPSec tunnel between R1 & 201.0.0.1/32
>
> The requirement is that when R1 pings 201.0.0.1, not only it will establish an IPSec
> tunnel, it will also trigger the ISDN to dial to R2. However, only traffic from R1
> going to 200.0.0.1 & 201.0.0.1 should trigger the ISDN, but nothing else.
>
> Hence I have created a dialer-list at R1:-
>
> access-list 110 permit ip any host 192.168.10.1
> dialer-list 1 protocol ip list 110
> !
>
> Howeveer, based on the 2 differenet desinations, I was expecting that they both
> would be interesting traffic (to trigger the ISDN), but I found that one is, while
> the other isn't. Any ideas??
>
> tutu#ping 200.0.0.1
> *Mar 1 00:05:34.239: Di1 DDR: ip (s=192.168.10.2, d=192.168.10.1), 152 bytes,
> outgoing interesting (list 110)
> *Mar 1 00:05:34.335: Di1 DDR: ip (s=192.168.10.2, d=192.168.10.1), 152 bytes,
> outgoing interesting (list 110)
> *Mar 1 00:05:34.435: Di1 DDR: ip (s=192.168.10.2, d=192.168.10.1), 152 bytes,
> outgoing interesting (list 110)
> *Mar 1 00:05:34.531: Di1 DDR: ip (s=192.168.10.2, d=192.168.10.1), 152 bytes,
> outgoing interesting (list 110)
> *Mar 1 00:05:34.631: Di1 DDR: ip (s=192.168.10.2, d=192.168.10.1), 152 bytes,
> outgoing interesting (list 110)
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 200.0.0.1, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/44 ms
> tutu#
> *Mar 1 00:05:37.415: Di1 DDR: ip (s=192.168.10.2, d=200.0.0.1), 100 bytes, outgoing
> uninteresting (list 110)
> *Mar 1 00:05:37.459: Di1 DDR: ip (s=192.168.10.2, d=200.0.0.1), 100 bytes, outgoing
> uninteresting (list 110)
> *Mar 1 00:05:37.503: Di1 DDR: ip (s=192.168.10.2, d=200.0.0.1), 100 bytes, outgoing
> uninteresting (list 110)
> *Mar 1 00:05:37.543: Di1 DDR: ip (s=192.168.10.2, d=200.0.0.1), 100 bytes, outgoing
> uninteresting (list 110)
> *Mar 1 00:05:37.587: Di1 DDR: ip (s=192.168.10.2, d=200.0.0.1), 100 bytes, outgoing
> uninteresting (list 110)
>
> Below is my config for R1:-
>
> R1#sh run
> Building configuration...
>
> Current configuration : 1763 bytes
> !
> !
> username posets password 0 win
> ip subnet-zero
> no ip finger
> no ip domain-lookup
> !
> no ip dhcp-client network-discovery
> isdn switch-type basic-net3
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> !
> crypto isakmp key 1234a address 192.168.10.1
> !
> !
> crypto ipsec transform-set setOne esp-des esp-sha-hmac
> !
> crypto map combined 10 ipsec-isakmp
> set peer 192.168.10.1
> set transform-set setOne
> match address 101
> !
> interface Loopback0
> ip address 3.3.3.3 255.255.255.255
> !
> !
> interface BRI0
> no ip address
> encapsulation ppp
> no ip route-cache
> no ip mroute-cache
> dialer pool-member 1
> isdn switch-type basic-net3
> cdapi buffers regular 0
> cdapi buffers raw 0
> cdapi buffers large 0
> ppp authentication pap chap
> !
> interface Dialer1
> ip address negotiated
> encapsulation ppp
> no ip route-cache
> no ip mroute-cache
> dialer pool 1
> dialer remote-name Posets
> dialer idle-timeout 180
> dialer string 2222
> dialer-group 1
> ppp authentication pap chap
> crypto map combined
> !
> ip kerberos source-interface any
> ip classless
> ip route 192.168.10.1 255.255.255.255 Dialer1
> ip route 200.0.0.0 255.0.0.0 192.168.10.1
> ip route 201.0.0.0 255.0.0.0 192.168.10.1
> no ip http server
> !
> access-list 101 permit ip any 201.0.0.0 0.255.255.255
> access-list 110 permit ip any host 192.168.10.1
> dialer-list 1 protocol ip list 110
>
>
> Can some one tell me why they are differnet. Any help would be greatly appreciated.
>
> Thanks
>
> Best Regards,
> H.
>
> http://careers.yahoo.com.au - Yahoo! Careers
> - 1,000's of jobs waiting online for you!

• Next message: Chuck Church: "Re: OSPF Neighbors on NBMA"
• Previous message: Fan Shan: "Ask for material about configuring bgp neighbor on tunnel"
• Maybe in reply to: Hunt Lee: "What is the difference between the two destinations??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:04 GMT-3