pERDITA DI CONNETTIVITà SU 877

[francesco_savona]

hO QUESTA ACL applicata ad una route map

access-list 109 remark ===============
access-list 109 remark ACL PER NAT OUT
access-list 109 remark ==================
access-list 109 permit tcp 192.168.1.0 0.0.0.255 host 85.39.190.50
access-list 109 permit tcp host 192.168.1.101 host 151.3.176.170
access-list 109 permit tcp 192.168.1.0 0.0.0.255 gt 1023 any eq www
access-list 109 permit tcp 192.168.1.0 0.0.0.255 gt 1023 any eq domain
access-list 109 permit tcp 192.168.1.0 0.0.0.255 gt 1023 any eq smtp
access-list 109 permit tcp 192.168.1.0 0.0.0.255 gt 1023 any eq pop3
access-list 109 permit tcp 192.168.1.0 0.0.0.255 gt 1023 any eq 443
access-list 109 permit udp 192.168.1.0 0.0.0.255 gt 1023 any eq domain
access-list 109 permit tcp 192.168.1.0 0.0.0.255 gt 1023 any eq 5500
access-list 109 permit tcp 192.168.1.0 0.0.0.255 gt 1023 any eq 5800
access-list 109 permit tcp 192.168.1.0 0.0.0.255 gt 1023 any eq 5900
access-list 109 remark ===================================
access-list 109 remark ACL PER NAT IN
access-list 109 remark ===================================
access-list 109 permit tcp 192.168.1.0 0.0.0.255 eq 22 any
access-list 109 permit tcp 192.168.1.0 0.0.0.255 eq telnet any
access-list 109 permit tcp 192.168.1.0 0.0.0.255 eq 3389 any
access-list 109 permit tcp 192.168.1.0 0.0.0.255 eq 5800 any gt 1023
access-list 109 permit tcp 192.168.1.0 0.0.0.255 eq 5900 any gt 1023
access-list 109 permit tcp 192.168.1.0 0.0.0.255 eq ftp-data any gt 1023
access-list 109 permit tcp 192.168.1.0 0.0.0.255 eq ftp any gt 1023
access-list 109 remark ===================================
access-list 109 remark ACL PER LOOPBACK
access-list 109 remark ===================================
access-list 109 permit tcp host xx.xx.211.49 eq 22 any
access-list 109 permit tcp host xx.xx.211.49 eq telnet any
access-list 109 deny ip any any

Perchè quando la applico ad una route map per matchare gli ip da inoltrare sulla atm0.1 non mi permette di accedere più in telnet/ssh al router???

La conf è:

interface Loopback0
ip address xx.xx.xx.49 255.255.255.248
ip policy route-map TRAFFICO_LAN
!
interface Ethernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$
ip address 192.168.1.254 255.255.255.0 secondary
ip address 192.168.0.254 255.255.255.0
ip mtu 1492
ip nat inside
ip tcp adjust-mss 1452
ip policy route-map TRAFFICO_LAN
hold-queue 100 out
!
interface ATM0
no ip address
ip mtu 1492
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address xx.xx.xx.xx 255.255.255.252
ip mtu 1492
ip nat outside
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
!
no ip http server
no ip http secure-server
!
ip nat pool nat_pool xx.xx.xx.49 xx.xx.xx.49 netmask 255.255.255.248
ip nat inside source list 109 pool nat_pool overload




Route Map:

route-map TRAFFICO_LAN permit 10
match ip address 109
set interface ATM0.1


Se applico un ip route 0.0.0.0 0.0.0.0 atm0.1 è tutto ok, è come se la connessione sulla porta 23 in ingresso mi venisse droppata dalla acl.
Ma solo per accedere al router.
Infatti se mappo la stessa porta dello stesso indirizzo ad un server interno (as400) funziona.