From: Tim Fletcher (tim@fletchmail.net)
Date: Fri May 02 2003 - 12:13:28 GMT-3
At 05:01 AM 5/2/2003 -0400, Ouellette, Tim wrote:
>I concure. Since ospf is explicitly permitted in the inbound acl and the
>outbound ACL that it'll never get to the reflect stages or the evaluate
>portion.
>
>As a side note when I was labbing this up.
>
>I used an named extended ACL and applied it to an interface but the Nacl had
>nothing in it (no permits or denies) and it appeared to be a permit any. I
>though the explicit deny was always there but it appears that didn't take
>affect until I added a line. Does that sound right?
Yes, an empty access-list is the same as no access-list.
>Tim
>
>-----Original Message-----
>From: Swink, Dave [mailto:DSwink@protrader.com]
>Sent: Friday, May 02, 2003 3:11 AM
>To: 'tim.ouellette@eds.com'; 'jpark@wams.com'
>Cc: 'ccielab@groupstudy.com'
>Subject: RE: Reflexive ACL - what am I missing? Can't ping!!
>
>
>Yep. This should allow ping and ospf only when initiated from inside. Pim
>& UDP would be allowed out only. OSPF could be initated from either
>direction.
>
>ip access-list extended outbound
> permit ospf any any
> permit icmp any any reflect sometraffic
> permit pim any any
> permit udp any any
>ip access-list extended inbound
> permit ospf any any
> evaluate some traffic
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Ouellette, Tim
>Sent: Thursday, May 01, 2003 11:20 PM
>To: 'Jeongwoo Park'
>Cc: 'ccielab@groupstudy.com'
>Subject: RE: Reflexive ACL - what am I missing? Can't ping!!
>
>
>Try this.
>
>Swap the inbound and the outbound ACL.
>
>Basically, permit icmp and the others outbound out of s0/0 on R3, and then
>reflect inbound on the s0/0 interface.
>
>Tim
>
>-----Original Message-----
>From: Jeongwoo Park [mailto:jpark@wams.com]
>Sent: Thursday, May 01, 2003 11:04 PM
>To: 'ccielab@groupstudy.com'
>Subject: Reflexive ACL - what am I missing? Can't ping!!
>
>
>Hi all,
>
>I reached the point where I need some help from you guys.
>
>R1(s0)----(s0/0)R3(e0/0)-----(e0/0)R5
>
>I can't ping from R5 to R1 ( 1.1.1.1 )
>I can't ping from R5 to R1 (120.20.13.1)
>I can ping from R3 to R1
>I thought I was permitting icmp traffic, but somehow the Reflexive ACL is
>blocking it. What am I not understanding?
>
>r3#deb ip icmp
>r5#deb ip icmp
>
>
>r5#ping 1.1.1.1
>
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
>U.U.U
>Success rate is 0 percent (0/5)
>r5#
>00:46:59: ICMP: dst (120.20.35.5) administratively prohibited unreachable
>rcv from 120.20.35.3
>00:47:01: ICMP: dst (120.20.35.5) administratively prohibited unreachable
>rcv from 120.20.35.3
>r5#
>00:47:03: ICMP: dst (120.20.35.5) administratively prohibited unreachable
>rcv from 120.20.35.3
>
>r5#ping 120.20.13.1
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
>U.U.U
>00:41:28: ICMP: dst (120.20.35.5) administratively prohibited unreachable
>rcv from 120.20.35.3
>00:41:30: ICMP: dst (120.20.35.5) administratively prohibited unreachable
>rcv from 120.20.35.3
>r5#
>00:41:32: ICMP: dst (120.20.35.5) administratively prohibited unreachable
>rcv from 120.20.35.3
>
>r3#
>00:58:30: ICMP: dst (1.1.1.1) administratively prohibited unreachable sent
>to 120.20.35.5
>r3#
>00:58:32: ICMP: dst (1.1.1.1) administratively prohibited unreachable sent
>to 120.20.35.5
>r3#
>00:58:34: ICMP: dst (1.1.1.1) administratively prohibited unreachable sent
>to 120.20.35.5
>r3#
>r3#
>00:59:02: ICMP: dst (120.20.13.1) administratively prohibited unreachable
>sent to 120.20.35.5
>r3#
>00:59:04: ICMP: dst (120.20.13.1) administratively prohibited unreachable
>sent to 120.20.35.5
>r3#
>00:59:06: ICMP: dst (120.20.13.1) administratively prohibited unreachable
>sent to 120.20.35.5
>r3#
>r5#
>===========================
>
>R1:
>interface Serial0
> bandwidth 10000
> ip address 120.20.13.1 255.255.255.248
> clock rate 64000
>
>!
>interface Loopback0
> ip address 1.1.1.1 255.255.255.0
> ip ospf network point-to-point
>!
>
>
>========================
>hostname r3
>!
>!
>!
>!
>!
>!
>ip subnet-zero
>no ip domain-lookup
>!
>ip reflexive-list timeout 60
>!
>!
>!
>!
>!
>!
>interface Loopback0
> ip address 3.3.3.3 255.255.255.0
>!
>interface Ethernet0/0
> ip address 120.20.35.3 255.255.255.0
>!
>interface Serial0/0
> ip address 120.20.13.3 255.255.255.248
> ip access-group inbound in
> ip access-group outbound out
> no fair-queue
>!
>router ospf 1
> router-id 3.3.3.3
> log-adjacency-changes
> area 1 virtual-link 1.1.1.1
> network 3.3.3.0 0.0.0.255 area 2
> network 120.20.13.0 0.0.0.7 area 1
>!
>router rip
> redistribute ospf 1 metric 5
> passive-interface default
> no passive-interface Ethernet0/0
> network 120.0.0.0
>!
>ip classless
>ip route 0.0.0.0 0.0.0.0 192.168.1.1
>ip http server
>!
>!
>ip access-list extended inbound
> permit ospf any any
> permit icmp any any
> permit pim any any
> permit udp any any
> evaluate tcptraffic
>ip access-list extended outbound
> permit tcp any any reflect tcptraffic
>======================================
>hostname r5
>!
>!
>memory-size iomem 20
>ip subnet-zero
>ip tftp source-interface Ethernet0/0
>no ip domain-lookup
>!
>!
>!
>!
>!
>interface Loopback0
> ip address 5.5.5.5 255.255.255.0
> no ip directed-broadcast
>!
>interface Ethernet0/0
> ip address 120.20.35.5 255.255.255.0
> no ip directed-broadcast
>!
>router rip
> passive-interface default
> no passive-interface Ethernet0/0
> network 5.0.0.0
> network 120.0.0.0
>===============================
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:35 GMT-3