RE: problem with reflexive access list

From: Brian Dennis (brian@5g.net)
Date: Sat Dec 14 2002 - 16:35:05 GMT-3

• Next message: michael.a.miller@att.net: "Re: Failed First Time"
• Previous message: Phil: "Re: Lab Date Question for this Tuesday 12/17/2002"
• Maybe in reply to: John Tafasi: "problem with reflexive access list"
• Next in thread: John Tafasi: "Re: problem with reflexive access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You also misspelled "outboundfilter" when you applied it to Ethernet 0.

Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security)

-----Original Message-----
From: John Tafasi [mailto:johntafasi@yahoo.com]
Sent: Friday, December 13, 2002 11:43 PM
To: Brian Dennis; 'Cisco Group Study'; 'ccielab'
Subject: Re: problem with reflexive access list

I tried that too and it did not work.
----- Original Message -----
From: "Brian Dennis" <brian@5g.net>
To: "'John Tafasi'" <johntafasi@yahoo.com>; "'Cisco Group Study'"
<cisco@groupstudy.com>; "'ccielab'" <ccielab@groupstudy.com>
Sent: Friday, December 13, 2002 11:56 PM
Subject: RE: problem with reflexive access list

> John,
> By default packets sourced by the router will not be affected by an
> outbound ACL. Since the outbound ACL does not "see" the telnet traffic
> sourced by the router, the router does not add an entry to the inbound
> ACL to allow the traffic to return. Try telneting from behind R5.
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> John Tafasi
> Sent: Friday, December 13, 2002 4:32 PM
> To: Cisco Group Study; ccielab
> Subject: problem with reflexive access list
>
> Hello,
>
> I have a problem telneting from r5 to r2 when reflexive ip access list
> is
> configured. Without the reflexive access list, the telnet will work
> fine.
> The two routers are directly connect via their ethernet 0 interfaces.
> Could
> some one find out what is wrong with my configuration. Both routers
are
> using their ethernet ip addresses for source and destination of the
> telnet
> traffic.
>
>
> hostname r5
> !
> ip reflexive-list timeout 1000
> !
> ip access-list extended inboundfilter
> permit igrp any any
> evaluate tcptraffic
> ip access-list extended outboundfilter
> permit tcp any any reflect tcptraffic timeout 5000
> !
> interface Ethernet0
> ip address 10.10.110.3 255.255.255.0
> ip access-group inboundfilter in
> ip access-group outboundfiler out
> ntp disable
>
> ================
>
> hostname r2
> !
> interface Ethernet0
> ip address 10.10.110.16 255.255.255.0
> .
.

• Next message: michael.a.miller@att.net: "Re: Failed First Time"
• Previous message: Phil: "Re: Lab Date Question for this Tuesday 12/17/2002"
• Maybe in reply to: John Tafasi: "problem with reflexive access list"
• Next in thread: John Tafasi: "Re: problem with reflexive access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:45 GMT-3