Routing Issue

[newbobbys9]

I am in need of help with this. We have a 7204 with 4 interfaces--2 internal subnets, one phone and a gateway to the internet. Connected to the Internet int is a switch with 6 ports available. These are several appliances with esternal addresses from our /248 range--a mail filter, a help desk appliance, and a route to the firewall. We are using static routes with no auto summary. The gateway of last resort is the internal address of the firewall (Symantec). We have route-map commands, one of which is set to the router's outbound port with 151.204.xxx.xx (the gateway adddress for our external range). We use a match ip address xx command, which references a wildcard mask for the network address of our range (0.0.0.7). From inside these addresses are not accessible. (Inbound is not a problem). Ther is a set ip next-hop in the route-map after this entry that sends traffic to the ISP gateway. Would the addition of the following allow access to manage these appliances:

access-list 105 permit 172.16.x.xxx 255.255.255.0 151.204.xxx.2x 255.255.255.0

route-map internet-traffic-outbound permit 8
match ip address 105

Do we need some kind of nat translation command? Is this a good idea? Is there a better way to get access?

Help would be appreciated. Thanks.
n ip address r

 

[KiscoKid]

It's difficult to be sure but it sounds as if all reply traffic from your publically-addressed devices are getting policy based routed to the internet gateway which likely has no route back to the internal network (172.16.x.x)

You can perhaps exclude echo-reply traffic from these devices from being PBR'ed by denying them in this access list you've mentioned. Something like:

access-list 100 deny icmp 151.204.x.x 0.0.0.7 any eq echo-reply



If this doesn't work, I've probably completely misunderstood your issue. If you can confirm the IP addresses of these devices, where they connect and a current config of the router, it would help a lot.