Reflexive Access Lists

From: Nodir Nazarov (nodir@xxxxxxxxxxxx)
Date: Tue Jun 12 2001 - 13:24:25 GMT-3

• Next message: Brant I. Stevens: "CatOS features on the Lab"
• Previous message: Martin, Chris: "Re: Off Topic: Quiet before the storm?"
• Next in thread: Ilya Mazhara: "Re: Reflexive Access Lists"
• Maybe reply: Ilya Mazhara: "Re: Reflexive Access Lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hello,

I am configuring simple reflexive access list example, looks like I am
missing something.

R6--R5

Serial 0.1 is the interface connected to R5

!
interface Serial0.1 point-to-point
 ip address 172.16.56.6 255.255.255.0
 ip access-group inbound in
 ip access-group outbound out
 no ip directed-broadcast
 frame-relay interface-dlci 605
end

ip access-list extended inbound
 permit igrp any any
 permit icmp any any
 evaluate ref
 deny ip any any log

ip access-list extended outbound
 permit igrp any any
 permit icmp any any
 permit tcp any any reflect ref timeout 120
 deny ip any any log

I expect R6 to mark outgoing tcp traffic with "ref" and evaluate it on the
way back. Also R6 to be able to telnet to R5, however this is what I got:

R6#telnet 172.16.56.5
Trying 172.16.56.5 ...
11:52:29: %SEC-6-IPACCESSLOGP: list inbound denied tcp 172.16.56.5(23) ->
172.16.56.6(11002), 1 packet
% Connection timed out; remote host not responding

Reflexive ACL is not created and incoming traffic is not evaluated. Did I
get it wrong ??

Thank you,
Nodir
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Brant I. Stevens: "CatOS features on the Lab"
• Previous message: Martin, Chris: "Re: Off Topic: Quiet before the storm?"
• Next in thread: Ilya Mazhara: "Re: Reflexive Access Lists"
• Maybe reply: Ilya Mazhara: "Re: Reflexive Access Lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:22 GMT-3