From: Volkov, Dmitry (IDS Canada) (dmitry_volkov@ca.ml.com)
Date: Mon Jul 28 2003 - 02:48:24 GMT-3
Alex,
You are right - I don't recall that outbound ACL would process packet
sourced from router.
as well as reflexive ACL and Inspect.
I know only the following references about what happens with packets
traveling through router:
1)
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080
133ddd.shtml
2)
http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080
160fc1.shtml
3) Inside Cisco IOS Software Architecture book (Order of Operations in the
Switching Path)
Unfortunately neither of these sources tell us what is the way of packets
sourced from router itself.
Do You know any public info besides the above ?
Thanks,
Dmitry
> -----Original Message-----
> From: asadovnikov [mailto:asadovnikov@comcast.net]
> Sent: Monday, July 28, 2003 12:58 AM
> To: 'Volkov, Dmitry (IDS Canada)'; 'Yu Kay'; ccielab@groupstudy.com
> Subject: RE: reflexive access-list
>
>
> I agree with Dmitry, it would not work with traffic which locally
> originated, but I do not believe it is IOS depended.
>
> Traffic generated on a router would not hit an outbound ACL
> (for anything)
> and hence would not ever have a chance to create a temporary opening.
>
> Try the following:
> - replace "reflect" with "log" and generate traffic; you
> should not see any
> hits
> - recover your configuration back to reflect, but now use
> outside device
> (such as another router or a PC and it will work)
>
> Best regards,
> Alexei
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Volkov, Dmitry (IDS Canada)
> Sent: Sunday, July 27, 2003 12:55 PM
> To: 'Yu Kay'; ccielab@groupstudy.com
> Subject: RE: reflexive access-list
>
>
> Your access list looks right.
> Try to telnet to B from C:
> C---A---B
> It should work. I dont' knnow why but refl list doesn't work
> for packets
> originated from router itself.
> Even if You use telnet x.y.z.d. /source-interface "another
> inetrface than
> s0" from A to B it doesn't work
> Maybe it's IOS dependent.
>
> Dmitry
>
> > -----Original Message-----
> > From: Yu Kay [mailto:kaykkyu@yahoo.com]
> > Sent: Sunday, July 27, 2003 10:54 AM
> > To: ccielab@groupstudy.com
> > Subject: reflexive access-list
> >
> >
> > Hi,
> >
> > I have a question about reflexive access-list.
> > For example,
> >
> > routerA (S0)----- routerB
> >
> > I try to describe my problem in a simplest example.
> > Each router use default route point to the other.
> > Before I put the following 'access-list' on routerA,
> > routerA can telnet to routerB.
> >
> > int s0
> > ip access-group outbound out
> > ip access-group inbound in
> >
> > access-list extended inbound
> > evaluate test
> > access-list extended outbound
> > permit tcp any any reflect test
> >
> >
> > Please give me some hints
> >
> > Kay
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! SiteBuilder - Free, easy-to-use web site design software
> > http://sitebuilder.yahoo.com
> >
> >
> > ______________________________________________________________
> > _________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:55 GMT-3