From: Ouellette, Tim (tim.ouellette@eds.com)
Date: Fri May 02 2003 - 05:38:04 GMT-3
Per my previous comments, I think that your inbound/outbound are backwards.
Here's my setup
8.8.8.8/24 R8-------r7--------r6
192.168.78.0/24 between r7 and r8
192.168.67.0/24 between r6 and r7
The magic happens on r7. Basically whatever is permitted AND evaluated on
r7's ACL outbound will be reflected ( a hole opened up on the inbound) as a
dynamic entry on the inbound ACL. Here's my setup from r7. Tested and
working......
r6#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r7#sh access-list
Extended IP access list inbound
evaluate reflected_traffic
permit eigrp any any (166 matches)
Extended IP access list outbound
permit eigrp any any
permit icmp any any reflect reflected_traffic
Reflexive IP access list reflected_traffic
permit icmp host 8.8.8.8 host 192.168.67.6 (10 matches) (time left
-1404131 <----- DYNAMIC entry built
)
Here's the config of r7
interface Ethernet3
ip address 192.168.78.7 255.255.255.0
ip access-group inbound in
ip access-group outbound out
media-type 10BaseT
ip access-list extended inbound
evaluate reflected_traffic
permit eigrp any any
ip access-list extended outbound
permit eigrp any any
permit icmp any any reflect reflected_traffic timeout 120
----- Original Message -----
From: "Jeongwoo Park" <jpark@wams.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, May 01, 2003 11:03 PM
Subject: Reflexive ACL - what am I missing? Can't ping!!
> Hi all,
>
> I reached the point where I need some help from you guys.
>
> R1(s0)----(s0/0)R3(e0/0)-----(e0/0)R5
>
> I can't ping from R5 to R1 ( 1.1.1.1 )
> I can't ping from R5 to R1 (120.20.13.1)
> I can ping from R3 to R1
> I thought I was permitting icmp traffic, but somehow the Reflexive ACL
> is blocking it. What am I not understanding?
>
> r3#deb ip icmp
> r5#deb ip icmp
>
>
> r5#ping 1.1.1.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: U.U.U
> Success rate is 0 percent (0/5)
> r5#
> 00:46:59: ICMP: dst (120.20.35.5) administratively prohibited unreachable
> rcv from 120.20.35.3
> 00:47:01: ICMP: dst (120.20.35.5) administratively prohibited unreachable
> rcv from 120.20.35.3
> r5#
> 00:47:03: ICMP: dst (120.20.35.5) administratively prohibited unreachable
> rcv from 120.20.35.3
>
> r5#ping 120.20.13.1
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: U.U.U
> 00:41:28: ICMP: dst (120.20.35.5) administratively prohibited unreachable
> rcv from 120.20.35.3
> 00:41:30: ICMP: dst (120.20.35.5) administratively prohibited unreachable
> rcv from 120.20.35.3
> r5#
> 00:41:32: ICMP: dst (120.20.35.5) administratively prohibited unreachable
> rcv from 120.20.35.3
>
> r3#
> 00:58:30: ICMP: dst (1.1.1.1) administratively prohibited unreachable
> sent to 120.20.35.5 r3#
> 00:58:32: ICMP: dst (1.1.1.1) administratively prohibited unreachable sent
> to 120.20.35.5
> r3#
> 00:58:34: ICMP: dst (1.1.1.1) administratively prohibited unreachable sent
> to 120.20.35.5
> r3#
> r3#
> 00:59:02: ICMP: dst (120.20.13.1) administratively prohibited unreachable
> sent to 120.20.35.5
> r3#
> 00:59:04: ICMP: dst (120.20.13.1) administratively prohibited unreachable
> sent to 120.20.35.5
> r3#
> 00:59:06: ICMP: dst (120.20.13.1) administratively prohibited unreachable
> sent to 120.20.35.5
> r3#
> r5#
> ===========================
>
> R1:
> interface Serial0
> bandwidth 10000
> ip address 120.20.13.1 255.255.255.248
> clock rate 64000
>
> !
> interface Loopback0
> ip address 1.1.1.1 255.255.255.0
> ip ospf network point-to-point
> !
>
>
> ========================
> hostname r3
> !
> !
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> ip reflexive-list timeout 60
> !
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 3.3.3.3 255.255.255.0
> !
> interface Ethernet0/0
> ip address 120.20.35.3 255.255.255.0
> !
> interface Serial0/0
> ip address 120.20.13.3 255.255.255.248
> ip access-group inbound in
> ip access-group outbound out
> no fair-queue
> !
> router ospf 1
> router-id 3.3.3.3
> log-adjacency-changes
> area 1 virtual-link 1.1.1.1
> network 3.3.3.0 0.0.0.255 area 2
> network 120.20.13.0 0.0.0.7 area 1
> !
> router rip
> redistribute ospf 1 metric 5
> passive-interface default
> no passive-interface Ethernet0/0
> network 120.0.0.0
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 192.168.1.1
> ip http server
> !
> !
> ip access-list extended inbound
> permit ospf any any
> permit icmp any any
> permit pim any any
> permit udp any any
> evaluate tcptraffic
> ip access-list extended outbound
> permit tcp any any reflect tcptraffic
> ======================================
> hostname r5
> !
> !
> memory-size iomem 20
> ip subnet-zero
> ip tftp source-interface Ethernet0/0
> no ip domain-lookup
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 5.5.5.5 255.255.255.0
> no ip directed-broadcast
> !
> interface Ethernet0/0
> ip address 120.20.35.5 255.255.255.0
> no ip directed-broadcast
> !
> router rip
> passive-interface default
> no passive-interface Ethernet0/0
> network 5.0.0.0
> network 120.0.0.0
> ===============================
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:35 GMT-3