RE: Ping and reflexive access lists

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Fri Aug 22 2003 - 14:29:22 GMT-3

• Next message: Scott Morris: "RE: Off TOpic: Problems with PIX closing scoket on a static NAT"
• Previous message: ccie2002@tampabay.rr.com: "Re: Off TOpic: Problems with PIX closing scoket on a static NAT"
• Maybe in reply to: ccie2be: "Ping and reflexive access lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Reflexive ACL's work with TCP, UDP and ICMP. You might be referring to
older IOS versions and CBAC which did not support ICMP.

interface Ethernet0/0
 ip access-group INACL in
 ip access-group OUTACL out
!
ip access-list extended INACL
 evaluate ICMP_TRAFFIC
ip access-list extended OUTACL
 permit icmp any any reflect ICMP_TRAFFIC
!
Rack6R3#sho access-list
Reflexive IP access list ICMP_TRAFFIC
    permit icmp host 10.13.13.1 host 3.12.12.2 (11 matches) (time left
229)
Extended IP access list INACL
    evaluate ICMP_TRAFFIC
Extended IP access list OUTACL
    permit icmp any any reflect ICMP_TRAFFIC
Rack6R3#

One of the problems people run into is that they forget to test it from
behind the router with the reflective ACL and not from the router
itself. Packets generated by the router itself are not "relected".

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Toll Free: 877-334-8987
Direct: 775-745-6404 (Outside the US and Canada)
Internetwork Expert, Inc.
http://www.InternetworkExpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
yu chunyan
Sent: Friday, August 22, 2003 9:16 AM
To: ccie2be@nyc.rr.com; ccielab@groupstudy.com
Subject: Re: Ping and reflexive access lists

reflective access-list only apply for TCP connection.

Bin.

>From: "ccie2be" <ccie2be@nyc.rr.com>
>Reply-To: "ccie2be" <ccie2be@nyc.rr.com>
>To: "Group Study" <ccielab@groupstudy.com>
>Subject: Ping and reflexive access lists
>Date: Fri, 22 Aug 2003 11:38:47 -0400
>
>Hi all,
>
>The following is from the solution config of IPExpert e-scenario lab
343.
>
>int s0
><text omitted>
>ip access-group inbound in
>ip access-group outbound out
>
>
>ip access-list extended inbound
>evaluate icmptraffic
>
>ip access-list extended outbound
>permit icmp any any reflect icmptraffic
>
>The requirement is to allow inside users to ping to the outside. When
I
>tried
>this, it didn't work which actually makes sense to me since the reply
to a
>ping is an echo-reply which isn't a "mirror image" of a ping.
>
>Is this solution wrong or did I miss something?
>
>Thanks, dt
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Scott Morris: "RE: Off TOpic: Problems with PIX closing scoket on a static NAT"
• Previous message: ccie2002@tampabay.rr.com: "Re: Off TOpic: Problems with PIX closing scoket on a static NAT"
• Maybe in reply to: ccie2be: "Ping and reflexive access lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:05 GMT-3