Re: reflexive access-list

From: Carlos G Mendioroz (tron@xxxxxxxxxxx)
Date: Thu Aug 08 2002 - 06:54:45 GMT-3

• Next message: Carlos G Mendioroz: "Re: reflexive access-list"
• Previous message: TK-Network Çözümleri: "RE: Telnet refuse message"
• Maybe in reply to: ying c: "reflexive access-list"
• Next in thread: Carlos G Mendioroz: "Re: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Ah, ok. That explains it. You have OSPF and RIP entries there, so the
list
is (was) not empty...

Have you put those in or are auto ?
This would be strange if auto, since this is self generated traffic...

ying c wrote:
>
> Hi all,
>
> Below is the the output:
>
> Before ping:
>
> Extended IP access list allin
> evaluate allpackets
> permit ospf any any (1039 matches)
> permit udp any any eq rip
> Extended IP access list allout
> permit tcp any any reflect allpackets
> permit udp any any reflect allpackets
> permit icmp any any reflect allpackets
> permit ospf any any
> permit udp any any eq rip
> Reflexive IP access list allpackets
> r1#
> ----------------------------------------------------
> After call from r1:
>
> r1#ping 172.16.10.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
> is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
>
> Extended IP access list allin
> evaluate allpackets
> permit ospf any any (1052 matches)
> permit udp any any eq rip
> Extended IP access list allout
> permit tcp any any reflect allpackets
> permit udp any any reflect allpackets
> permit icmp any any reflect allpackets
> permit ospf any any
> permit udp any any eq rip
> Reflexive IP access list allpackets
> r1#
> ------------------------------------------------------
> After call from a router that connects to r1:
>
> rsm#ping 172.16.10.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout
> is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip
> min/avg/max = 72/75/80 ms
> rsm#
> Extended IP access list allin
> evaluate allpackets
> permit ospf any any (1056 matches)
> permit udp any any eq rip
> Extended IP access list allout
> permit tcp any any reflect allpackets
> permit udp any any reflect allpackets
> permit icmp any any reflect allpackets
> permit ospf any any
> permit udp any any eq rip
> Reflexive IP access list allpackets
> permit icmp host 172.16.10.2 host 172.16.32.12
> (11 matches) (time left -743096) <<<----
> r1#
> ----------------------------------------------------------------
>
> --- Carlos G Mendioroz <tron@huapi.ba.ar> wrote:
> > Brian,
> > this is ok... but I used to believe thatin this
> > case, as the
> > evaluate is the only statement in the allin ACL,
> > then allin
> > would be empty and allow all traffic throw.
> >
> > This used to be a common gotcha on reflexive (and
> > CBAC) ACLs.
> > Has this changed ?
> >
> > Chang, what would be the output of a show
> > access-lists ?
> >
> >
> >
> > Brian Dennis wrote:
> > >
> > > Traffic generated by R1 isn't going to be
> > evaluated out and in turn
> > > won't be let back in. Try testing it from behind
> > R1.
> > >
> > > Brian Dennis, CCIE #2210 (R&S/ISP Dial)
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > > ying c
> > > Sent: Wednesday, August 07, 2002 12:40 PM
> > > To: ccielab@groupstudy.com
> > > Subject: reflexive access-list
> > >
> > > Hi,
> > >
> > > Can someone tell me why the following reflexive
> > > access-list would not work? I'm not even bothering
> > > blocking anything any more, the IOS is 12.1-15:
> > >
> > > R1-172.16.10.1-------172.16.10.2--R2
> > >
> > > interface Serial0.1 multipoint
> > > ip address 172.16.10.1 255.255.255.0
> > > ip access-group allin in <---- IN
> > > ip access-group allout out <----- OUT
> > > ip ospf priority 255
> > > ipx network 12
> > > frame-relay map ip 172.16.10.1 102 broadcast
> > > frame-relay map ip 172.16.10.2 102 broadcast
> > > frame-relay map ip 172.16.10.3 103 broadcast
> > > frame-relay map ipx 12.0001.0001.0001 102
> > broadcast
> > > frame-relay map ipx 12.0002.0002.0002 102
> > broadcast
> > > ...
> > > ip access-list extended allin
> > > evaluate allpackets <---- evaluate everything
> > > ip access-list extended allout
> > > permit tcp any any reflect allpackets <--- tcp
> > > permit udp any any reflect allpackets <--- udp
> > > permit icmp any any reflect allpackets <--- icmp
> > >
> > > =======================
> > > run result:
> > >
> > > r1#ping 172.16.10.2 <--- Always fails
> > >
> > > Type escape sequence to abort.
> > > Sending 5, 100-byte ICMP Echos to 172.16.10.2,
> > timeout
> > > is 2 seconds:
> > > .....
> > > Success rate is 0 percent (0/5)
> > > r1#ct <---- remove reflexive access-list
> > > Enter configuration commands, one per line. End
> > with
> > > CNTL/Z.
> > > r1(config)#int s0.1
> > > r1(config-subif)#no ip access
> > > r1(config-subif)#no ip access-group allin in
> > > r1(config-subif)#no ip access-group allout out
> > > r1(config-subif)#^Z
> > > r1#pin
> > > 07:30:09: %SYS-5-CONFIG_I: Configured from console
> > by
> > > console
> > > r1#ping 172.16.10.2 <--- Ok if no reflexive
> > > access-list
> > >
> > > Type escape sequence to abort.
> > > Sending 5, 100-byte ICMP Echos to 172.16.10.2,
> > timeout
> > > is 2 seconds:
> > > !!!!!
> > > Success rate is 100 percent (5/5), round-trip
> > > min/avg/max = 60/60/60 ms
> > > r1#
> > >
> > > Thanks,
> > > Chang
> > >

• Next message: Carlos G Mendioroz: "Re: reflexive access-list"
• Previous message: TK-Network Çözümleri: "RE: Telnet refuse message"
• Maybe in reply to: ying c: "reflexive access-list"
• Next in thread: Carlos G Mendioroz: "Re: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:20 GMT-3