1. Home
  2. Cisco Systems
  3. Question on using route maps.

Question on using route maps.

Hi guys,

just a question on the use of the route map

Ok I've got one public IP of the 16 my ISP gave me. On the router I created a loopback 1 with that IP.

On that IP I would publish an ftp service and forward the requests. I used a route-map to limit the IP addresses which the requests to connect to come from. Everything is working

I wonder how is possible that both the following ACL allow the traffic

access-list 110 permit tcp host host eq ftp-data access-list 110 permit tcp host host eq ftp

access-list 110 permit tcp host host eq ftp-data access-list 110 permit tcp host host eq ftp

ip nat inside source static 10.134.3.1 route-map FTPxSABINA

route-map FTPxSABINA permit 10 match ip address 110 match interface Loopback1

And the traffic was allowed even if the access-list was empty (I mean it didn't exist) The route map was expected to permit only traffic specified in the ACL and in case the ACL was wrong to deny the traffic at all.

So how to permit traffic only from certain IP addresses?

Alex.

Reply to
AM
Loading thread data ...

If you want to drop ALL packets that do not match ACL 110, then:

route-map FTPxSABINA permit 10 match ip address 110 match interface Loopback1

route-map FTPxSABINA deny 20

Reply to
Merv

I thought there was an implicit deny at the end of the ACL 110.

Many thanks

Alex.

Reply to
AM

There is an implicit deny at then end of an ACL.

The nat statement would only do a translation if the route map found at match

Is that what is happening ?

What action to you want to take if there is not a match for translation ?

Reply to
Merv

There is an implicit deny at then end of an ACL.

The nat statement would only do a translation if the route map found at match

Is that what is happening ?

What action to you want to take if there is not a match for translation ?

Reply to
Merv

No, what you think doesn't happen. The ACL was written to limit the IP addresses that can reach the FTP server but I can see its prompt for username and pwd from the world. So the ACL doesn't do what it is expected to do (by me)

A discard of packets or better the packets mustn't be forwarded to the FTP server. I want to restrict IP addresses allowed to reach that FTP server.

I read that maybe when route-maps are used in conjunction with static NAT, the rule of translation only takes care of the destination and not both of source and destination

Go to

formatting link
have a look to Benefits described for this features. They don't say that the NAT rule doesn't consider the source address but it seems to me that is what is happening to me.

Thanks, Alex.

Reply to
AM

Why are you doing this with a route-map instead of a packet filter?

Reply to
Barry Margolin

You're correct but... I have already a big ACL on input on WAN interface where I implemented all security rules to avoid undesidered traffic from Internet. I hoped to manage this particular constraint directly specifying the service (I mean the static NAT).

Thanks Alex.

Reply to
AM

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.