RE: Reflexive ACL - what am I missing? Can't ping!!

From: Swink, Dave (DSwink@protrader.com)
Date: Fri May 02 2003 - 17:52:19 GMT-3

Try this:

ip access-list extended outbound
 permit ospf any any reflect sometraffic
 permit icmp any any reflect sometraffic
 permit pim any any
 permit udp any any
ip access-list extended inbound
  evaluate sometraffic

Dave Swink
 

-----Original Message-----
From: Jeongwoo Park [mailto:jpark@wams.com]
Sent: Friday, May 02, 2003 3:09 PM
To: Swink, Dave; 'tim.ouellette@eds.com'
Cc: 'ccielab@groupstudy.com'
Subject: RE: Reflexive ACL - what am I missing? Can't ping!!

Thanks guys.
It works. Now I have a better understanding of reflexive ACL.
Now, what if I want to reflect the ospf traffic?
Would it be like this?...
ip access-list extended outbound
 permit ospf any any reflect ospf traffic
 permit icmp any any reflect sometraffic
 permit pim any any
 permit udp any any
ip access-list extended inbound
  evaluate sometraffic
  evaluate ospftraffic

I tried this, and I lost all the ospf routes.

Hmm.. What am I missing?

Thanks,

JP

-----Original Message-----
From: Swink, Dave [mailto:DSwink@protrader.com]
Sent: Friday, May 02, 2003 12:11 AM
To: 'tim.ouellette@eds.com'; 'jpark@wams.com'
Cc: 'ccielab@groupstudy.com'
Subject: RE: Reflexive ACL - what am I missing? Can't ping!!

Yep. This should allow ping and ospf only when initiated from inside. Pim
& UDP would be allowed out only. OSPF could be initated from either
direction.

ip access-list extended outbound
 permit ospf any any
 permit icmp any any reflect sometraffic
 permit pim any any
 permit udp any any
ip access-list extended inbound
 permit ospf any any
 evaluate some traffic

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Ouellette, Tim
Sent: Thursday, May 01, 2003 11:20 PM
To: 'Jeongwoo Park'
Cc: 'ccielab@groupstudy.com'
Subject: RE: Reflexive ACL - what am I missing? Can't ping!!

Try this.

Swap the inbound and the outbound ACL.

Basically, permit icmp and the others outbound out of s0/0 on R3, and then
reflect inbound on the s0/0 interface.

Tim

-----Original Message-----
From: Jeongwoo Park [mailto:jpark@wams.com]
Sent: Thursday, May 01, 2003 11:04 PM
To: 'ccielab@groupstudy.com'
Subject: Reflexive ACL - what am I missing? Can't ping!!

Hi all,

I reached the point where I need some help from you guys.

R1(s0)----(s0/0)R3(e0/0)-----(e0/0)R5

I can't ping from R5 to R1 ( 1.1.1.1 )
I can't ping from R5 to R1 (120.20.13.1)
I can ping from R3 to R1
I thought I was permitting icmp traffic, but somehow the Reflexive ACL is
blocking it. What am I not understanding?

r3#deb ip icmp
r5#deb ip icmp

r5#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: U.U.U
Success rate is 0 percent (0/5) r5#
00:46:59: ICMP: dst (120.20.35.5) administratively prohibited unreachable
rcv from 120.20.35.3
00:47:01: ICMP: dst (120.20.35.5) administratively prohibited unreachable
rcv from 120.20.35.3 r5#
00:47:03: ICMP: dst (120.20.35.5) administratively prohibited unreachable
rcv from 120.20.35.3

r5#ping 120.20.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: U.U.U
00:41:28: ICMP: dst (120.20.35.5) administratively prohibited unreachable
rcv from 120.20.35.3
00:41:30: ICMP: dst (120.20.35.5) administratively prohibited unreachable
rcv from 120.20.35.3 r5#
00:41:32: ICMP: dst (120.20.35.5) administratively prohibited unreachable
rcv from 120.20.35.3

r3#
00:58:30: ICMP: dst (1.1.1.1) administratively prohibited unreachable sent
to 120.20.35.5 r3#
00:58:32: ICMP: dst (1.1.1.1) administratively prohibited unreachable sent
to 120.20.35.5 r3#
00:58:34: ICMP: dst (1.1.1.1) administratively prohibited unreachable sent
to 120.20.35.5 r3# r3#
00:59:02: ICMP: dst (120.20.13.1) administratively prohibited unreachable
sent to 120.20.35.5 r3#
00:59:04: ICMP: dst (120.20.13.1) administratively prohibited unreachable
sent to 120.20.35.5 r3#
00:59:06: ICMP: dst (120.20.13.1) administratively prohibited unreachable
sent to 120.20.35.5 r3# r5# ===========================

R1:
interface Serial0
 bandwidth 10000
 ip address 120.20.13.1 255.255.255.248
 clock rate 64000

!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 ip ospf network point-to-point
!

========================
hostname r3
!
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
ip reflexive-list timeout 60
!
!
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
!
interface Ethernet0/0
 ip address 120.20.35.3 255.255.255.0
!
interface Serial0/0
 ip address 120.20.13.3 255.255.255.248
 ip access-group inbound in
 ip access-group outbound out
 no fair-queue
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 area 1 virtual-link 1.1.1.1
 network 3.3.3.0 0.0.0.255 area 2
 network 120.20.13.0 0.0.0.7 area 1
!
router rip
 redistribute ospf 1 metric 5
 passive-interface default
 no passive-interface Ethernet0/0
 network 120.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
!
!
ip access-list extended inbound
 permit ospf any any
 permit icmp any any
 permit pim any any
 permit udp any any
 evaluate tcptraffic
ip access-list extended outbound
 permit tcp any any reflect tcptraffic
======================================
hostname r5
!
!
memory-size iomem 20
ip subnet-zero
ip tftp source-interface Ethernet0/0
no ip domain-lookup
!
!
!
!
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.0
 no ip directed-broadcast
!
interface Ethernet0/0
 ip address 120.20.35.5 255.255.255.0
 no ip directed-broadcast
!
router rip
 passive-interface default
 no passive-interface Ethernet0/0
 network 5.0.0.0
 network 120.0.0.0
===============================

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:36 GMT-3