Re: reflexive access-list

From: Carlos G Mendioroz (tron@xxxxxxxxxxx)
Date: Wed Aug 07 2002 - 19:16:26 GMT-3

• Next message: Roberts, Larry: "RE: Silent Nights..."
• Previous message: steven.j.nelson@xxxxxx: "RE: OT: RE: Dark rivers of the heart?"
• Maybe in reply to: ying c: "reflexive access-list"
• Next in thread: ying c: "Re: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Brian,
this is ok... but I used to believe thatin this case, as the
evaluate is the only statement in the allin ACL, then allin
would be empty and allow all traffic throw.

This used to be a common gotcha on reflexive (and CBAC) ACLs.
Has this changed ?

Chang, what would be the output of a show access-lists ?

Brian Dennis wrote:
>
> Traffic generated by R1 isn't going to be evaluated out and in turn
> won't be let back in. Try testing it from behind R1.
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ying c
> Sent: Wednesday, August 07, 2002 12:40 PM
> To: ccielab@groupstudy.com
> Subject: reflexive access-list
>
> Hi,
>
> Can someone tell me why the following reflexive
> access-list would not work? I'm not even bothering
> blocking anything any more, the IOS is 12.1-15:
>
> R1-172.16.10.1-------172.16.10.2--R2
>
> interface Serial0.1 multipoint
> ip address 172.16.10.1 255.255.255.0
> ip access-group allin in <---- IN
> ip access-group allout out <----- OUT
> ip ospf priority 255
> ipx network 12
> frame-relay map ip 172.16.10.1 102 broadcast
> frame-relay map ip 172.16.10.2 102 broadcast
> frame-relay map ip 172.16.10.3 103 broadcast
> frame-relay map ipx 12.0001.0001.0001 102 broadcast
> frame-relay map ipx 12.0002.0002.0002 102 broadcast
> ...
> ip access-list extended allin
> evaluate allpackets <---- evaluate everything
> ip access-list extended allout
> permit tcp any any reflect allpackets <--- tcp
> permit udp any any reflect allpackets <--- udp
> permit icmp any any reflect allpackets <--- icmp
>
> =======================
> run result:
>
> r1#ping 172.16.10.2 <--- Always fails
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
> is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> r1#ct <---- remove reflexive access-list
> Enter configuration commands, one per line. End with
> CNTL/Z.
> r1(config)#int s0.1
> r1(config-subif)#no ip access
> r1(config-subif)#no ip access-group allin in
> r1(config-subif)#no ip access-group allout out
> r1(config-subif)#^Z
> r1#pin
> 07:30:09: %SYS-5-CONFIG_I: Configured from console by
> console
> r1#ping 172.16.10.2 <--- Ok if no reflexive
> access-list
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
> is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip
> min/avg/max = 60/60/60 ms
> r1#
>
> Thanks,
> Chang
>

• Next message: Roberts, Larry: "RE: Silent Nights..."
• Previous message: steven.j.nelson@xxxxxx: "RE: OT: RE: Dark rivers of the heart?"
• Maybe in reply to: ying c: "reflexive access-list"
• Next in thread: ying c: "Re: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:19 GMT-3