RE: Reflexive ACL - what am I missing? Can't ping!!

From: Fabrice Bobes (study@6colabs.com)
Date: Fri May 02 2003 - 19:35:02 GMT-3

• Next message: OhioHondo: "RE: Nat - to pool or not to pool..."
• Previous message: kym blair: "Re: summary command of ospf"
• Maybe in reply to: Jeongwoo Park: "Reflexive ACL - what am I missing? Can't ping!!"
• Next in thread: Charles Church: "RE: Reflexive ACL - what am I missing? Can't ping!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Don't forget that traffic originating from local router is not evaluated
against its own outbound access-list.

The outbound access-list is used for traffic going through your router
(from R1 to R5 in your example, not for R3 originated traffic to R5).
In other words, no temporary hole in your access-list will be open for
returning OSPF traffic since the OSPF doesn't "travel" through R3 but
"originates" from R3.

I hope it makes sense.

Fabrice
http://www.6colabs.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Swink, Dave
Sent: Friday, May 02, 2003 1:52 PM
To: 'Jeongwoo Park'; 'tim.ouellette@eds.com'
Cc: 'ccielab@groupstudy.com'
Subject: RE: Reflexive ACL - what am I missing? Can't ping!!

Try this:

ip access-list extended outbound
 permit ospf any any reflect sometraffic
 permit icmp any any reflect sometraffic
 permit pim any any
 permit udp any any
ip access-list extended inbound
  evaluate sometraffic

Dave Swink
 

-----Original Message-----
From: Jeongwoo Park [mailto:jpark@wams.com]
Sent: Friday, May 02, 2003 3:09 PM
To: Swink, Dave; 'tim.ouellette@eds.com'
Cc: 'ccielab@groupstudy.com'
Subject: RE: Reflexive ACL - what am I missing? Can't ping!!

Thanks guys.
It works. Now I have a better understanding of reflexive ACL.
Now, what if I want to reflect the ospf traffic?
Would it be like this?...
ip access-list extended outbound
 permit ospf any any reflect ospf traffic
 permit icmp any any reflect sometraffic
 permit pim any any
 permit udp any any
ip access-list extended inbound
  evaluate sometraffic
  evaluate ospftraffic

I tried this, and I lost all the ospf routes.

Hmm.. What am I missing?

Thanks,

JP

-----Original Message-----
From: Swink, Dave [mailto:DSwink@protrader.com]
Sent: Friday, May 02, 2003 12:11 AM
To: 'tim.ouellette@eds.com'; 'jpark@wams.com'
Cc: 'ccielab@groupstudy.com'
Subject: RE: Reflexive ACL - what am I missing? Can't ping!!

Yep. This should allow ping and ospf only when initiated from inside.
Pim
& UDP would be allowed out only. OSPF could be initated from either
direction.

ip access-list extended outbound
 permit ospf any any
 permit icmp any any reflect sometraffic
 permit pim any any
 permit udp any any
ip access-list extended inbound
 permit ospf any any
 evaluate some traffic

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Ouellette, Tim
Sent: Thursday, May 01, 2003 11:20 PM
To: 'Jeongwoo Park'
Cc: 'ccielab@groupstudy.com'
Subject: RE: Reflexive ACL - what am I missing? Can't ping!!

Try this.

Swap the inbound and the outbound ACL.

Basically, permit icmp and the others outbound out of s0/0 on R3, and
then
reflect inbound on the s0/0 interface.

Tim

-----Original Message-----
From: Jeongwoo Park [mailto:jpark@wams.com]
Sent: Thursday, May 01, 2003 11:04 PM
To: 'ccielab@groupstudy.com'
Subject: Reflexive ACL - what am I missing? Can't ping!!

Hi all,

I reached the point where I need some help from you guys.

R1(s0)----(s0/0)R3(e0/0)-----(e0/0)R5

I can't ping from R5 to R1 ( 1.1.1.1 )
I can't ping from R5 to R1 (120.20.13.1)
I can ping from R3 to R1
I thought I was permitting icmp traffic, but somehow the Reflexive ACL
is
blocking it. What am I not understanding?

r3#deb ip icmp
r5#deb ip icmp

r5#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: U.U.U
Success rate is 0 percent (0/5) r5#
00:46:59: ICMP: dst (120.20.35.5) administratively prohibited
unreachable
rcv from 120.20.35.3
00:47:01: ICMP: dst (120.20.35.5) administratively prohibited
unreachable
rcv from 120.20.35.3 r5#
00:47:03: ICMP: dst (120.20.35.5) administratively prohibited
unreachable
rcv from 120.20.35.3

r5#ping 120.20.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: U.U.U
00:41:28: ICMP: dst (120.20.35.5) administratively prohibited
unreachable
rcv from 120.20.35.3
00:41:30: ICMP: dst (120.20.35.5) administratively prohibited
unreachable
rcv from 120.20.35.3 r5#
00:41:32: ICMP: dst (120.20.35.5) administratively prohibited
unreachable
rcv from 120.20.35.3

r3#
00:58:30: ICMP: dst (1.1.1.1) administratively prohibited unreachable
sent
to 120.20.35.5 r3#
00:58:32: ICMP: dst (1.1.1.1) administratively prohibited unreachable
sent
to 120.20.35.5 r3#
00:58:34: ICMP: dst (1.1.1.1) administratively prohibited unreachable
sent
to 120.20.35.5 r3# r3#
00:59:02: ICMP: dst (120.20.13.1) administratively prohibited
unreachable
sent to 120.20.35.5 r3#
00:59:04: ICMP: dst (120.20.13.1) administratively prohibited
unreachable
sent to 120.20.35.5 r3#
00:59:06: ICMP: dst (120.20.13.1) administratively prohibited
unreachable
sent to 120.20.35.5 r3# r5# ===========================

R1:
interface Serial0
 bandwidth 10000
 ip address 120.20.13.1 255.255.255.248
 clock rate 64000

!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 ip ospf network point-to-point
!

========================
hostname r3
!
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
ip reflexive-list timeout 60
!
!
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
!
interface Ethernet0/0
 ip address 120.20.35.3 255.255.255.0
!
interface Serial0/0
 ip address 120.20.13.3 255.255.255.248
 ip access-group inbound in
 ip access-group outbound out
 no fair-queue
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 area 1 virtual-link 1.1.1.1
 network 3.3.3.0 0.0.0.255 area 2
 network 120.20.13.0 0.0.0.7 area 1
!
router rip
 redistribute ospf 1 metric 5
 passive-interface default
 no passive-interface Ethernet0/0
 network 120.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
!
!
ip access-list extended inbound
 permit ospf any any
 permit icmp any any
 permit pim any any
 permit udp any any
 evaluate tcptraffic
ip access-list extended outbound
 permit tcp any any reflect tcptraffic
======================================
hostname r5
!
!
memory-size iomem 20
ip subnet-zero
ip tftp source-interface Ethernet0/0
no ip domain-lookup
!
!
!
!
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.0
 no ip directed-broadcast
!
interface Ethernet0/0
 ip address 120.20.35.5 255.255.255.0
 no ip directed-broadcast
!
router rip
 passive-interface default
 no passive-interface Ethernet0/0
 network 5.0.0.0
 network 120.0.0.0
===============================

• Next message: OhioHondo: "RE: Nat - to pool or not to pool..."
• Previous message: kym blair: "Re: summary command of ospf"
• Maybe in reply to: Jeongwoo Park: "Reflexive ACL - what am I missing? Can't ping!!"
• Next in thread: Charles Church: "RE: Reflexive ACL - what am I missing? Can't ping!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:36 GMT-3