From: Richard Wheat (rwheat@xxxxxxxxxx)
Date: Sat Mar 16 2002 - 14:58:12 GMT-3
Bill,
My best guess is ... as you are initiating traffic from the router also
performing
the filtering - your outbound packets are not passed through the outbound
access
list and so the reflexive list is never created. Try it from a downstream
router
so the flow is through r3.
HTH,
Richard.
Bill Greenwood wrote:
> I can't seem to get reflective access-list to work. I've made the config
> about as simple as possible. What am I missing?
>
> !
> ip access-list extended inboundfilters
> evaluate tcptraffic
> ip access-list extended outboundfilters
> permit ip any any reflect tcptraffic
> !
>
> R3#sr int s1
> Building configuration...
>
> Current configuration:
> !
> interface Serial1
> description Access to the Internet via this interface
> bandwidth 56
> ip address 172.16.23.3 255.255.255.0
> ip access-group inboundfilters in
> ip access-group outboundfilters out
> ip pim sparse-mode
> no ip route-cache
> no ip mroute-cache
> ipx network A23
> no fair-queue
> clockrate 56000
> end
>
> R3#ping 172.16.23.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.23.2, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> R3#sh access-lis
>
> Extended IP access list inboundfilters
> evaluate tcptraffic
> Extended IP access list outboundfilters
> permit ip any any reflect tcptraffic
> Reflexive IP access list tcptraffic
> R3#172.16.23.2
> Trying 172.16.23.2 ...
> % Connection timed out; remote host not responding
>
> R3#sh access-lis
>
> Extended IP access list inboundfilters
> evaluate tcptraffic
> Extended IP access list outboundfilters
> permit ip any any reflect tcptraffic
> Reflexive IP access list tcptraffic
> R3#
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:11 GMT-3