RE: Reflexive Access List

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Fri Sep 05 2003 - 09:43:26 GMT-3

To test a reflexive ACL, initiate traffic from a device that is "behind"
the router configured with the reflexive ACL.

Traffic originated by the router itself does not get "reflected" by a
reflective ACL. This means that all traffic originated by the router
will need to be manually permitted with the inbound ACL. It is common to
permit routing protocol traffic inbound but also remember if you need to
ping or telnet to other routers from the router with the reflective ACL
you will need to manually add the ACL entries inbound for this traffic
to return.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Toll Free: 877-334-8987
Direct: 775-745-6404 (Outside the US and Canada)
Internetwork Expert, Inc.
http://www.InternetworkExpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Charles T. Alexander
Sent: Friday, September 05, 2003 4:38 AM
To: ccielab@groupstudy.com
Subject: Reflexive Access List

Having trouble with a reflexive access list. Can not telnet from r2 to
r1 which is connected on e0 of r2.

r2#r
Building configuration...

Current configuration : 4671 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r2
!
logging buffered 10000 debugging
logging rate-limit console 10 except errors
enable password radnor
!
username r5 password 0 ctasta
ip subnet-zero
no ip finger
no ip domain-lookup
!
no ip dhcp-client network-discovery
isdn switch-type basic-ni
!
!
!
!
interface Loopback0
 ip address 192.168.2.2 255.255.255.255
!
interface Ethernet0
 ip address 172.29.12.2 255.255.255.192
 ip access-group untrusted in
 ip access-group trusted out
!
interface Serial0
 no ip address
 encapsulation frame-relay
 frame-relay lmi-type ansi
!
interface Serial0.4 point-to-point
 ip address 172.29.24.2 255.255.255.0
 frame-relay interface-dlci 104
!
interface Serial0.56 multipoint
 ip address 172.29.100.2 255.255.255.248
 ip ospf message-digest-key 1 md5 ctasta
 frame-relay map ip 172.29.100.2 105
 frame-relay map ip 172.29.100.5 105 broadcast
 frame-relay map ip 172.29.100.6 106 broadcast
!
interface Serial1
 no ip address
 shutdown
!
interface BRI0
 ip address 172.29.25.2 255.255.255.0
 encapsulation ppp
 ip ospf demand-circuit
 shutdown
 dialer map ip 172.29.25.5 name r5 4082222222
 dialer-group 1
 isdn switch-type basic-ni
 isdn spid1 40811111111
 isdn spid2 40811111112
 cdapi buffers regular 0
 cdapi buffers raw 0
 cdapi buffers large 0
 no cdp enable
 ppp authentication chap
 ppp chap hostname r2x
!
router ospf 1
 router-id 192.168.2.2
 log-adjacency-changes
 area 0 authentication message-digest
 area 0 range 172.29.100.0 255.255.255.0
 area 0 range 172.29.200.0 255.255.255.0
 area 12 range 172.29.12.0 255.255.255.0
 area 12 virtual-link 192.168.1.1 message-digest-key 1 md5 ctasta
 summary-address 172.29.24.0 255.255.255.0
 redistribute connected subnets route-map c2o
 redistribute rip metric 100 subnets route-map r2o
 network 172.29.12.0 0.0.0.63 area 12
 network 172.29.25.0 0.0.0.255 area 0
 network 172.29.100.0 0.0.0.7 area 0
 network 192.168.2.2 0.0.0.0 area 2
 neighbor 172.29.100.6
 neighbor 172.29.100.5
 distance ospf inter-area 112 external 114
!
router rip
 redistribute connected metric 2
 redistribute ospf 1 metric 4 route-map o2r
 passive-interface BRI0
 passive-interface Ethernet0
 passive-interface Loopback0
 passive-interface Serial0.56
 network 172.29.0.0
 distribute-list 4 out Serial0.4
 distance 105
!
router bgp 12
 no synchronization
 bgp log-neighbor-changes
 neighbor 192.168.1.1 remote-as 12
 neighbor 192.168.1.1 update-source Loopback0
 neighbor 192.168.5.5 remote-as 5
 neighbor 192.168.5.5 ebgp-multihop 5
 neighbor 192.168.5.5 update-source Loopback0
 neighbor 192.168.5.5 send-community
 neighbor 192.168.5.5 route-map tor5 out
 neighbor 192.168.6.6 remote-as 6
 neighbor 192.168.6.6 ebgp-multihop 5
 neighbor 192.168.6.6 update-source Loopback0
 neighbor 192.168.6.6 send-community
 neighbor 192.168.6.6 route-map tor6 out
 no auto-summary
!
ip kerberos source-interface any
ip classless
ip http server
!
!
ip access-list extended trusted
 permit tcp any any reflect tcp-sessions
ip access-list extended untrusted
 permit ospf any any
 permit tcp any any eq bgp
 evaluate tcp-sessions
access-list 1 permit 172.29.40.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 2 permit 172.29.24.0 0.0.0.255
access-list 4 deny 172.29.25.0 0.0.0.255
access-list 4 permit any
access-list 11 permit 10.12.1.0 0.0.0.255
access-list 12 permit 10.12.2.0 0.0.0.255
access-list 13 permit 10.12.3.0 0.0.0.255
access-list 101 deny ip any host 224.0.0.5
access-list 101 deny ip any host 224.0.0.6
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
route-map c2r permit 10
 match ip address 3
!
route-map r2o permit 10
 match ip address 1
!
route-map o2r permit 10
 match ip address 4
!
route-map c2o permit 10
 match ip address 2
!
route-map tor5 permit 10
 match ip address 11
 set as-path prepend 100
!
route-map tor5 permit 20
 match ip address 12
 set as-path prepend 100 200
!
route-map tor5 permit 30
 match ip address 13
 set metric 275
!
route-map tor5 permit 40
!
route-map tor6 deny 10
 match ip address 11
!
route-map tor6 permit 20
 match ip address 12
 set as-path prepend 1200
!
route-map tor6 permit 30
 match ip address 13
 set community no-export
!
route-map tor6 permit 40
!
!
alias exec i show ip route
alias exec r show run
alias exec c config t
alias exec u undebug all
alias exec b show ip bgp
alias exec bs show ip bgp sum
alias exec s show ip int brief
!
line con 0
 exec-timeout 0 0
 logging synchronous
 transport input none
 escape-character 27
line aux 0
line vty 0 4
 exec-timeout 0 0
 password bp
 login
!
end

r2#

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:23 GMT-3