access-list & Dialer interesting traffic

Discussion in 'Cisco' started by Ned, Nov 7, 2007.

  1. Ned

    Ned Guest

    Maybe someone can see what's wromng here. My local router will only
    seem to fire up the ISDN dialer when I have
    access-list 101 permit ip any any
    ****************
    My local ethernet is 172.30.1.254 255.255.254.0. My PC is
    172.30.1.100. When I have the above access list in the router the ISDN
    connects to the remote site. When I try to tighten up on the list the
    Dialer doesn't appear to see "interesting traffic". The new access
    list is:
    access-list 101 permit ip 172.30.0.0 255.255.254.0 any
    - the config shows this as...
    access-list 101 permit ip 0.0.1.254 255.255.254.0 any
    .... so to my understanding - this is saying permit any IP traffic from
    the local LAN to any destination. I have debugs on for Dialer & ISDN
    events but nothing appears when I have the new access list in...
    TIA, Ned

    **********
    interface FastEthernet0/0
    ip address 172.30.1.254 255.255.0.0
    no ip redirects
    !
    interface Serial1/0:15
    no ip address
    no ip directed-broadcast
    encapsulation ppp
    dialer pool-member 1
    isdn switch-type primary-net5
    fair-queue 64 256 0
    ppp authentication chap
    !
    !
    interface Dialer1
    description ISDN to 2a
    ip address 10.1.1.254 255.255.255.0
    encapsulation ppp
    no ip route-cache
    no ip mroute-cache
    dialer pool 1
    dialer remote-name site2a
    dialer string 12345
    dialer idle-timeout 600
    dialer hold-queue 40
    dialer-group 1
    no fair-queue
    no cdp enable
    ppp authentication chap
    ppp multilink
    !
    access-list 101 permit ip any any
    dialer-list 1 protocol ip list 101
    !
    ************************
    TIA, Ned
    Ned, Nov 7, 2007
    #1
    1. Advertising

  2. Ned

    Merv Guest

    The new access
    > list is:
    > access-list 101 permit ip 172.30.0.0 255.255.254.0 any
    > - the config shows this as...
    > access-list 101 permit ip 0.0.1.254 255.255.254.0 any




    Are you saying you input to the IOS CLI:

    access-list 101 permit ip 172.30.0.0 255.255.254.0 any

    and sh run displays the access list as

    access-list 101 permit ip 0.0.1.254 255.255.254.0 any


    If so, then try

    config t
    no access-list 101
    access-list 101 permit ip 172.30.0.0 255.255.254.0 any
    end

    sh access-list

    post the outpu of show version and show access-list
    Merv, Nov 7, 2007
    #2
    1. Advertising

  3. Ned

    Thrill5 Guest

    "Ned" <> wrote in message
    news:...
    > Maybe someone can see what's wromng here. My local router will only
    > seem to fire up the ISDN dialer when I have
    > access-list 101 permit ip any any
    > ****************
    > My local ethernet is 172.30.1.254 255.255.254.0. My PC is
    > 172.30.1.100. When I have the above access list in the router the ISDN
    > connects to the remote site. When I try to tighten up on the list the
    > Dialer doesn't appear to see "interesting traffic". The new access
    > list is:
    > access-list 101 permit ip 172.30.0.0 255.255.254.0 any
    > - the config shows this as...
    > access-list 101 permit ip 0.0.1.254 255.255.254.0 any
    > ... so to my understanding - this is saying permit any IP traffic from
    > the local LAN to any destination. I have debugs on for Dialer & ISDN
    > events but nothing appears when I have the new access list in...
    > TIA, Ned
    >
    > **********
    > interface FastEthernet0/0
    > ip address 172.30.1.254 255.255.0.0
    > no ip redirects
    > !
    > interface Serial1/0:15
    > no ip address
    > no ip directed-broadcast
    > encapsulation ppp
    > dialer pool-member 1
    > isdn switch-type primary-net5
    > fair-queue 64 256 0
    > ppp authentication chap
    > !
    > !
    > interface Dialer1
    > description ISDN to 2a
    > ip address 10.1.1.254 255.255.255.0
    > encapsulation ppp
    > no ip route-cache
    > no ip mroute-cache
    > dialer pool 1
    > dialer remote-name site2a
    > dialer string 12345
    > dialer idle-timeout 600
    > dialer hold-queue 40
    > dialer-group 1
    > no fair-queue
    > no cdp enable
    > ppp authentication chap
    > ppp multilink
    > !
    > access-list 101 permit ip any any
    > dialer-list 1 protocol ip list 101
    > !
    > ************************
    > TIA, Ned
    >


    The mask used on ACL's is not like the mask used on IP addresses. You must
    the compliment of the mask you really want to use with ACLs (within my
    company we actually call them "bizzaro masks".) Your ACL should be:

    access-list 101 permit ip 172.30.0.0 0.0.1.255 any
    Thrill5, Nov 7, 2007
    #3
  4. Ned

    Trendkill Guest

    On Nov 7, 6:05 pm, "Thrill5" <> wrote:
    > "Ned" <> wrote in message
    >
    > news:...
    >
    >
    >
    > > Maybe someone can see what's wromng here. My local router will only
    > > seem to fire up the ISDN dialer when I have
    > > access-list 101 permit ip any any
    > > ****************
    > > My local ethernet is 172.30.1.254 255.255.254.0. My PC is
    > > 172.30.1.100. When I have the above access list in the router the ISDN
    > > connects to the remote site. When I try to tighten up on the list the
    > > Dialer doesn't appear to see "interesting traffic". The new access
    > > list is:
    > > access-list 101 permit ip 172.30.0.0 255.255.254.0 any
    > > - the config shows this as...
    > > access-list 101 permit ip 0.0.1.254 255.255.254.0 any
    > > ... so to my understanding - this is saying permit any IP traffic from
    > > the local LAN to any destination. I have debugs on for Dialer & ISDN
    > > events but nothing appears when I have the new access list in...
    > > TIA, Ned

    >
    > > **********
    > > interface FastEthernet0/0
    > > ip address 172.30.1.254 255.255.0.0
    > > no ip redirects
    > > !
    > > interface Serial1/0:15
    > > no ip address
    > > no ip directed-broadcast
    > > encapsulation ppp
    > > dialer pool-member 1
    > > isdn switch-type primary-net5
    > > fair-queue 64 256 0
    > > ppp authentication chap
    > > !
    > > !
    > > interface Dialer1
    > > description ISDN to 2a
    > > ip address 10.1.1.254 255.255.255.0
    > > encapsulation ppp
    > > no ip route-cache
    > > no ip mroute-cache
    > > dialer pool 1
    > > dialer remote-name site2a
    > > dialer string 12345
    > > dialer idle-timeout 600
    > > dialer hold-queue 40
    > > dialer-group 1
    > > no fair-queue
    > > no cdp enable
    > > ppp authentication chap
    > > ppp multilink
    > > !
    > > access-list 101 permit ip any any
    > > dialer-list 1 protocol ip list 101
    > > !
    > > ************************
    > > TIA, Ned

    >
    > The mask used on ACL's is not like the mask used on IP addresses. You must
    > the compliment of the mask you really want to use with ACLs (within my
    > company we actually call them "bizzaro masks".) Your ACL should be:
    >
    > access-list 101 permit ip 172.30.0.0 0.0.1.255 any


    Inverse mask you mean?

    http://www.mindflip.com/inet/tcpip/subnets.html

    Bizzaro mask, nice! I'll have to remember that one.
    Trendkill, Nov 7, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Holger Isenberg
    Replies:
    0
    Views:
    742
    Holger Isenberg
    Nov 19, 2003
  2. Arjan
    Replies:
    0
    Views:
    616
    Arjan
    Apr 2, 2004
  3. John
    Replies:
    0
    Views:
    576
  4. John
    Replies:
    0
    Views:
    645
  5. Todd Eddy
    Replies:
    0
    Views:
    479
    Todd Eddy
    Sep 15, 2006
Loading...

Share This Page