RE: reflexive access-list

From: asadovnikov (asadovnikov@comcast.net)
Date: Mon Jul 28 2003 - 01:57:59 GMT-3

• Next message: Volkov, Dmitry (IDS Canada): "RE: reflexive access-list"
• Previous message: Banlan Chen: "OT:looking for a Lab date from Aug 22 to Aug 31 in RTP or SJ"
• Maybe in reply to: Yu Kay: "reflexive access-list"
• Next in thread: Volkov, Dmitry (IDS Canada): "RE: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I agree with Dmitry, it would not work with traffic which locally
originated, but I do not believe it is IOS depended.

Traffic generated on a router would not hit an outbound ACL (for anything)
and hence would not ever have a chance to create a temporary opening.

Try the following:
- replace "reflect" with "log" and generate traffic; you should not see any
hits
- recover your configuration back to reflect, but now use outside device
(such as another router or a PC and it will work)

Best regards,
Alexei

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Volkov, Dmitry (IDS Canada)
Sent: Sunday, July 27, 2003 12:55 PM
To: 'Yu Kay'; ccielab@groupstudy.com
Subject: RE: reflexive access-list

Your access list looks right.
Try to telnet to B from C:
C---A---B
It should work. I dont' knnow why but refl list doesn't work for packets
originated from router itself.
Even if You use telnet x.y.z.d. /source-interface "another inetrface than
s0" from A to B it doesn't work
Maybe it's IOS dependent.

Dmitry

> -----Original Message-----
> From: Yu Kay [mailto:kaykkyu@yahoo.com]
> Sent: Sunday, July 27, 2003 10:54 AM
> To: ccielab@groupstudy.com
> Subject: reflexive access-list
>
>
> Hi,
>
> I have a question about reflexive access-list.
> For example,
>
> routerA (S0)----- routerB
>
> I try to describe my problem in a simplest example.
> Each router use default route point to the other.
> Before I put the following 'access-list' on routerA,
> routerA can telnet to routerB.
>
> int s0
> ip access-group outbound out
> ip access-group inbound in
>
> access-list extended inbound
> evaluate test
> access-list extended outbound
> permit tcp any any reflect test
>
>
> Please give me some hints
>
> Kay
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Volkov, Dmitry (IDS Canada): "RE: reflexive access-list"
• Previous message: Banlan Chen: "OT:looking for a Lab date from Aug 22 to Aug 31 in RTP or SJ"
• Maybe in reply to: Yu Kay: "reflexive access-list"
• Next in thread: Volkov, Dmitry (IDS Canada): "RE: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:55 GMT-3