RE: reflexive access-list

From: Brian Dennis (brian@xxxxxx)
Date: Wed Aug 07 2002 - 18:00:27 GMT-3

• Next message: Brian Dennis: "RE: OT: RE: Dark rivers of the heart?"
• Previous message: Darryl Munro: "RE: Dark rivers of the heart?"
• Maybe in reply to: ying c: "reflexive access-list"
• Next in thread: ying c: "RE: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Traffic generated by R1 isn't going to be evaluated out and in turn
won't be let back in. Try testing it from behind R1.

Brian Dennis, CCIE #2210 (R&S/ISP Dial)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ying c
Sent: Wednesday, August 07, 2002 12:40 PM
To: ccielab@groupstudy.com
Subject: reflexive access-list

Hi,

Can someone tell me why the following reflexive
access-list would not work? I'm not even bothering
blocking anything any more, the IOS is 12.1-15:

R1-172.16.10.1-------172.16.10.2--R2

interface Serial0.1 multipoint
 ip address 172.16.10.1 255.255.255.0
 ip access-group allin in <---- IN
 ip access-group allout out <----- OUT
 ip ospf priority 255
 ipx network 12
 frame-relay map ip 172.16.10.1 102 broadcast
 frame-relay map ip 172.16.10.2 102 broadcast
 frame-relay map ip 172.16.10.3 103 broadcast
 frame-relay map ipx 12.0001.0001.0001 102 broadcast
 frame-relay map ipx 12.0002.0002.0002 102 broadcast
...
ip access-list extended allin
 evaluate allpackets <---- evaluate everything
ip access-list extended allout
 permit tcp any any reflect allpackets <--- tcp
 permit udp any any reflect allpackets <--- udp
 permit icmp any any reflect allpackets <--- icmp

=======================
run result:

r1#ping 172.16.10.2 <--- Always fails

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#ct <---- remove reflexive access-list
Enter configuration commands, one per line. End with
CNTL/Z.
r1(config)#int s0.1
r1(config-subif)#no ip access
r1(config-subif)#no ip access-group allin in
r1(config-subif)#no ip access-group allout out
r1(config-subif)#^Z
r1#pin
07:30:09: %SYS-5-CONFIG_I: Configured from console by
console
r1#ping 172.16.10.2 <--- Ok if no reflexive
access-list

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 60/60/60 ms
r1#

Thanks,
Chang

• Next message: Brian Dennis: "RE: OT: RE: Dark rivers of the heart?"
• Previous message: Darryl Munro: "RE: Dark rivers of the heart?"
• Maybe in reply to: ying c: "reflexive access-list"
• Next in thread: ying c: "RE: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:19 GMT-3