Cisco867VAE ACL su ATM0.1 con fastweb (sto impazzendo)

[@lan72]

Salve a tutti ho un problema assurdo e ci sto sbattendo la testa da giorni..
in sostanza ho una fastweb joy (con ip pubblico) impostato come dhcp su atm0.1

la configurazione che ho fatto funziona alla perfezione.. il router si collega, aquisisce l'ip fastweb, naviga ecc

Il problema stà nelle ACL in sostanza come da conf allegata ho creato la 102 che è in entrata sulla Vlan1 e funziona alla perfezione e poi la 101 che dovrei impostare sulla atm0.1 con il comando "ip access-group 101 in", ma non appena imposto l'access-group 101 in su atm0.1 il router non naviga più, se faccio uno "sh log" vedo che mi blocca tutto il traffico in entrata.. (e mi chiedo xchè)

- ho provato a togliere tutta la access-list 101 (e naviga) ma appena aggiungo una singola riga di acl non naviga più, ho privato anche ad aggiungere solo la riga "permit" e non naviga neanche..

- ho provato 3 ios differenti sia T che M

- ho provato a impostare su atm0.1 invece che dhcp l'ip statico con la subnet

insomma non saprei cosa provare più... per il momento ho impostato la lista di acl 101 ma non ho impostato la regola sull'interfaccia atm0.1

qualcuno può darmi una dritta, ne sarei veramente grato

version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname C867VAE
!
boot-start-marker
boot system flash:c860vae-ipbasek9-mz.153-3.M1.bin
boot-end-marker
!
!
logging buffered 52000
enable secret 5 $1$S/wt$YFJgIrQfernOxZJPZRYq20
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
wan mode dsl
clock timezone MET 1 0
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
ip dhcp excluded-address 192.168.0.201 192.168.0.254
!
ip dhcp pool home
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.221
domain-name home
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
!
!
!
ip domain name myhome
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
archive
log config
hidekeys
file verify auto
username Admin privilege 15 secret 5 $1$NYN6$nlQBK6pIrMM3/qLAVTtWm.
!
!
controller VDSL 0
!
ip tcp selective-ack
ip tcp timestamp
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
ip address dhcp
ip access-group 101 in (per ora non impostata se no non naviga)
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1452
atm route-bridged ip
pvc 8/36
encapsulation aal5snap
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.0.221 255.255.255.0
ip access-group 102 in
ip mtu 1492
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static tcp 192.168.0.1 4662 interface ATM0.1 4662
ip nat inside source static udp 192.168.0.1 4672 interface ATM0.1 4672
ip nat inside source static tcp 192.168.0.1 1412 interface ATM0.1 1412
ip nat inside source static udp 192.168.0.1 1422 interface ATM0.1 1422
ip nat inside source static udp 192.168.0.1 9183 interface ATM0.1 9183
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp host 216.239.32.15 eq ntp any
access-list 101 permit udp host 216.239.34.15 eq ntp any
access-list 101 permit udp host 8.8.8.8 eq domain any
access-list 101 permit udp host 8.8.4.4 eq domain any
access-list 101 permit tcp any any eq 4662
access-list 101 permit udp any any eq 4672
access-list 101 permit tcp any any eq 1412
access-list 101 permit udp any any eq 1422
access-list 101 permit udp any any eq 9183
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.0.221
access-list 102 deny ip any host 192.168.0.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
mac-address-table aging-time 15
no cdp run
!
!
!
!
control-plane
!
banner login ^C.::.::. Cisco Systems, Inc


Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 2 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 50000 1000
!
end

[@lan72]

Ho risolto (in parte) cioè dal momento che la mia IOS non è security non posso impostare l'ip inspect e i pacchetti non mi ritornavano indietro quindi ho aggiunto

access-list 101 permit tcp any any gt 1023 established
access-list 101 permit udp any any gt 1023

adesso funziona solo che sull'interfaccia atm0.1 ho dovuto togliere "ip address dhcp" e mettere l'ip statico fornito da fastweb perchè le acl mi bloccavano la negoziazione dell'ip

interface ATM0.1 point-to-point
ip address 2.232.xxx.xxx 255.255.255.0

così funziona.. ma secondo voi cosa dovrei fare passare dall'acl 101 per fare in modo che l'atm0.1 negozi l'ip con la centrale e rimettere "ip address dhcp"


grazie in anticipo

[@lan72]

nessuno che ha avuto un problema simile....

[@lan72]

vabbè mi ririspondo da solo... e chiudo definitivamente questo post
dopo varie ore e smadonnate varie ho trovato la soluzione aggiungendo all'acl 101

access-list 101 permit udp any eq bootpc any eq bootps

e non funzionava ancora.. poi ho pensato che il dhcp ha bisogno del traffico di ritorno per negoziare l'ip sulla wan e allora l'ho ricambiato in

access-list 101 permit udp any eq bootpc any eq bootps
access-list 101 permit udp any eq bootps any eq bootpc

ed ha funzionato subito