From: ying c (bf5tgh1@xxxxxxxxx)
Date: Wed Aug 07 2002 - 16:40:09 GMT-3
Hi,
Can someone tell me why the following reflexive
access-list would not work? I'm not even bothering
blocking anything any more, the IOS is 12.1-15:
R1-172.16.10.1-------172.16.10.2--R2
interface Serial0.1 multipoint
ip address 172.16.10.1 255.255.255.0
ip access-group allin in <---- IN
ip access-group allout out <----- OUT
ip ospf priority 255
ipx network 12
frame-relay map ip 172.16.10.1 102 broadcast
frame-relay map ip 172.16.10.2 102 broadcast
frame-relay map ip 172.16.10.3 103 broadcast
frame-relay map ipx 12.0001.0001.0001 102 broadcast
frame-relay map ipx 12.0002.0002.0002 102 broadcast
...
ip access-list extended allin
evaluate allpackets <---- evaluate everything
ip access-list extended allout
permit tcp any any reflect allpackets <--- tcp
permit udp any any reflect allpackets <--- udp
permit icmp any any reflect allpackets <--- icmp
=======================
run result:
r1#ping 172.16.10.2 <--- Always fails
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#ct <---- remove reflexive access-list
Enter configuration commands, one per line. End with
CNTL/Z.
r1(config)#int s0.1
r1(config-subif)#no ip access
r1(config-subif)#no ip access-group allin in
r1(config-subif)#no ip access-group allout out
r1(config-subif)#^Z
r1#pin
07:30:09: %SYS-5-CONFIG_I: Configured from console by
console
r1#ping 172.16.10.2 <--- Ok if no reflexive
access-list
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 60/60/60 ms
r1#
Thanks,
Chang
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:19 GMT-3