dialer idle-timout doesn't get reset

Hi,

I'm facing a problem with a 803 (one ISDN interface).
I have configured two dialer interfaces and acces lists and dialer-lists. I
have read quite a few posts on several newsgroups, but I can't seem to find
the answer to my problem. Hopefully someone can shed some light on this.

My problem is that whenever a call is established, the idle-timeout doesn't
get reset whenever "interesting traffic" is passing the interface. I have an
access-list configured and a dialer-list configured to look at the traffic
that is passing that interface. No matter what traffic I send over that ISDN
line/interface, the idle-timeout is never reset.

Here's the IOS version I'm running:

Cisco Internetwork Operating System Software
IOS (tm) C800 Software (C800-Y6-MW), Version 12.1(10), RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2001 by cisco Systems, Inc.

Here's my config:

interface Ethernet0
description connected to EthernetLAN
ip address 192.168.1.2 255.255.255.0
ip nat inside
no cdp enable
!
interface BRI0
description connected to Corporate Networks
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
no cdp enable
ppp authentication chap pap
!
interface Dialer1
description ISDN to routerA
ip address negotiated
ip nat outside
encapsulation ppp
no ip split-horizon
dialer pool 1
dialer idle-timeout 300
dialer string 123456789
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname myusername
ppp chap password mypassword
ppp pap sent-username myusername password mypassword
!
interface Dialer2
description ISDN to routerB
ip address negotiated
ip nat outside
encapsulation ppp
no ip split-horizon
dialer pool 1
dialer idle-timeout 300
dialer string 987654321
dialer-group 2
no cdp enable
ppp authentication chap pap callin
ppp chap hostname myusername2
ppp chap password mypassword2
ppp pap sent-username myusername2 password mypassword2
!
router rip
version 2
network 200.0.0.0
no auto-summary
!
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 102 interface Dialer2 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.1.1.0 255.255.255.0 Dialer1
ip route 193.168.200.0 255.255.255.0 Dialer2
!
logging trap debugging
logging 192.168.1.3
access-list 100 permit ip 192.168.1.0 0.0.0.255 host 10.1.1.7
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 host 193.168.200.1
dialer-list 1 protocol ip list 100
dialer-list 2 protocol ip list 110
no cdp run

Any help is very much appreciated.

Thanks,

Dennis Ortsen

 

I think it is because your nat is translating the source address to an
address that is not matched by the access-list.

 

Hi P. Stewart,

Hmmm... I'm a newbie in IOS so forgive me if I say something impossible,
stupid or offensive, but, if what you are saying is true, then I would also
have problems accessing any machine on the other end of the ISDN line,
wouldn't I?

I thought it worked like this:
the dialer-list contains the information on what is to be regarded as
"interesting traffic", not the access-list. The access-list serves one
purpose only, and that is to initiate a call to interface Dialer 1 whenever
a packet for that specific host (10.1.1.7 in this case) is received by the
router. The dialer-list serves as a "filter" for "interesting traffic" to
the idle-timeout timer, right? And by filter I mean that if an ip packet is
received for that interface Dialer 1 it should only reset the idle-timeout
timer, nothing more.

And, by using the "ip nat inside source list ....." I have specified a route
for packets travelling from the Dialer interface to my ethernet interface.

Could you tell me whether I have just said something impossible, stupid or
anything else?
Perhaps there are more configuration parameters I can or need to set...

Thanks,

Dennis

 

In your case, the access-list is used to further filter your dialer list.
So not only does the packet have to be ip, but also match the access-list.
If you omitted the access list in your dialer list, all ip traffic would be
interesting. The access-list has nothing to do with initiating the call, it
is used to more granularly filter the dialer list. The interface probably
only comes up initially because there really can't be a true nat translation
until the interface is up.

This has nothing to do with a route. This has to do with how the source
address is changed when a packet goes from an interface labeled ip nat
inside to an interface labeled ip nat outside. If you are doing a private
lan to lan isdn, you do not typically configure nat (unless you have a
specific need).

 

Hi,

Ehm, OK. I'm getting the picture now, I think... I'm filtering twice.
The dialer-list command is the command that triggers the call to the
specified dialer-group.
The access-list command is used to filter out what is allowed to travel over
the configured interface to the destination. And it is used to define what
is "interesting traffic". Am I right?

So with this setup:

ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.1.1.0 255.255.255.0 Dialer1
ip route 193.168.200.0 255.255.255.0 Dialer2
!
logging trap debugging
logging 192.168.1.3
access-list 100 permit ip 192.168.1.0 0.0.0.255 host 10.1.1.7
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 host 193.168.200.1
dialer-list 1 protocol ip list 100
dialer-list 2 protocol ip list 110

I'm not getting the dialer idle-timout counter reset.

But with this setup...:

ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.1.1.0 255.255.255.0 Dialer1
ip route 193.168.200.0 255.255.255.0 Dialer2
!
logging trap debugging
logging 192.168.1.3
access-list 100 permit ip 192.168.1.0 0.0.0.255 host 10.1.1.7
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 host 193.168.200.1
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit

....it would work? Cause any packet that needs to go to network 10.1.1.0 (to
initiate the call) will trigger interface Dialer 1 to call that host. Since
that is defined in the ip route command. But this will only happen when the
packet needs to travel to host 10.1.1.7 AND it must be an ip packet. Only
then the call will be initiated. Then I don't understand why I would need a
dialer-list for that dialer-group...

I thought I figured it all out... but I'm loosing it again.

Basically what I want is to be able to remote control a few PC's by using
either Terminal Services or pcANYWHERE, and occasionally transfer some files
using SMB networking.
What I don't want is that calls are made when it is not needed (phone bill).

Any suggestions?

Thanks,

Dennis