RE: Ping and reflexive access lists

From: Weidong Xiao (Weidong.Xiao@vi.net)
Date: Fri Aug 22 2003 - 13:29:07 GMT-3

• Next message: Scott Morris: "RE: Friday humor: New to Medicine"
• Previous message: yu chunyan: "Re: Ping and reflexive access lists"
• Maybe in reply to: ccie2be: "Ping and reflexive access lists"
• Next in thread: Brian Dennis: "RE: Ping and reflexive access lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

reflective acl apply to udp as well. I belive the default timeout for udp entry is 5 minutes.

The Ipexpert solution may be correct. ICMP is not supported by old version IOS, but may be supported by new version. I know that inspection (IOS with firewall feature set) support icmp in version 13.0

> -----Original Message-----
> From: yu chunyan [mailto:yuchunyan@hotmail.com]
> Sent: 22 August 2003 17:16
> To: ccie2be@nyc.rr.com; ccielab@groupstudy.com
> Subject: Re: Ping and reflexive access lists
>
>
> reflective access-list only apply for TCP connection.
>
> Bin.
>
>
> >From: "ccie2be" <ccie2be@nyc.rr.com>
> >Reply-To: "ccie2be" <ccie2be@nyc.rr.com>
> >To: "Group Study" <ccielab@groupstudy.com>
> >Subject: Ping and reflexive access lists
> >Date: Fri, 22 Aug 2003 11:38:47 -0400
> >
> >Hi all,
> >
> >The following is from the solution config of IPExpert
> e-scenario lab 343.
> >
> >int s0
> ><text omitted>
> >ip access-group inbound in
> >ip access-group outbound out
> >
> >
> >ip access-list extended inbound
> >evaluate icmptraffic
> >
> >ip access-list extended outbound
> >permit icmp any any reflect icmptraffic
> >
> >The requirement is to allow inside users to ping to the
> outside. When I
> >tried
> >this, it didn't work which actually makes sense to me since
> the reply to a
> >ping is an echo-reply which isn't a "mirror image" of a ping.
> >
> >Is this solution wrong or did I miss something?
> >
> >Thanks, dt
> >
> >
> >_____________________________________________________________
> __________
> >You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _________________________________________________________________
> Protect your PC - get McAfee.com VirusScan Online
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Scott Morris: "RE: Friday humor: New to Medicine"
• Previous message: yu chunyan: "Re: Ping and reflexive access lists"
• Maybe in reply to: ccie2be: "Ping and reflexive access lists"
• Next in thread: Brian Dennis: "RE: Ping and reflexive access lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:04 GMT-3