Re: Reflexive Access List

From: navaid@rogers.com
Date: Fri Sep 05 2003 - 09:51:15 GMT-3

Charles,
You will not be able to ping until you allow icmp in your untrusted list.
Try from one hop behind the r2 and it will work. It is because cisco decided not to check acl if outgoing traffic is generated locally on the router. Please check last three days archive and you will see a detail discussion this.

Navaid
>
> From: "Charles T. Alexander" <charles.t.alexander@verizon.net>
> Date: 2003/09/05 Fri AM 07:37:36 EDT
> To: "ccielab@groupstudy.com" <ccielab@groupstudy.com>
> Subject: Reflexive Access List
>
> Having trouble with a reflexive access list. Can not telnet from r2 to
> r1 which is connected on e0 of r2.
>
>
> r2#r
> Building configuration...
>
> Current configuration : 4671 bytes
> !
> version 12.2
> no service single-slot-reload-enable
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r2
> !
> logging buffered 10000 debugging
> logging rate-limit console 10 except errors
> enable password radnor
> !
> username r5 password 0 ctasta
> ip subnet-zero
> no ip finger
> no ip domain-lookup
> !
> no ip dhcp-client network-discovery
> isdn switch-type basic-ni
> !
> !
> !
> !
> interface Loopback0
> ip address 192.168.2.2 255.255.255.255
> !
> interface Ethernet0
> ip address 172.29.12.2 255.255.255.192
> ip access-group untrusted in
> ip access-group trusted out
> !
> interface Serial0
> no ip address
> encapsulation frame-relay
> frame-relay lmi-type ansi
> !
> interface Serial0.4 point-to-point
> ip address 172.29.24.2 255.255.255.0
> frame-relay interface-dlci 104
> !
> interface Serial0.56 multipoint
> ip address 172.29.100.2 255.255.255.248
> ip ospf message-digest-key 1 md5 ctasta
> frame-relay map ip 172.29.100.2 105
> frame-relay map ip 172.29.100.5 105 broadcast
> frame-relay map ip 172.29.100.6 106 broadcast
> !
> interface Serial1
> no ip address
> shutdown
> !
> interface BRI0
> ip address 172.29.25.2 255.255.255.0
> encapsulation ppp
> ip ospf demand-circuit
> shutdown
> dialer map ip 172.29.25.5 name r5 4082222222
> dialer-group 1
> isdn switch-type basic-ni
> isdn spid1 40811111111
> isdn spid2 40811111112
> cdapi buffers regular 0
> cdapi buffers raw 0
> cdapi buffers large 0
> no cdp enable
> ppp authentication chap
> ppp chap hostname r2x
> !
> router ospf 1
> router-id 192.168.2.2
> log-adjacency-changes
> area 0 authentication message-digest
> area 0 range 172.29.100.0 255.255.255.0
> area 0 range 172.29.200.0 255.255.255.0
> area 12 range 172.29.12.0 255.255.255.0
> area 12 virtual-link 192.168.1.1 message-digest-key 1 md5 ctasta
> summary-address 172.29.24.0 255.255.255.0
> redistribute connected subnets route-map c2o
> redistribute rip metric 100 subnets route-map r2o
> network 172.29.12.0 0.0.0.63 area 12
> network 172.29.25.0 0.0.0.255 area 0
> network 172.29.100.0 0.0.0.7 area 0
> network 192.168.2.2 0.0.0.0 area 2
> neighbor 172.29.100.6
> neighbor 172.29.100.5
> distance ospf inter-area 112 external 114
> !
> router rip
> redistribute connected metric 2
> redistribute ospf 1 metric 4 route-map o2r
> passive-interface BRI0
> passive-interface Ethernet0
> passive-interface Loopback0
> passive-interface Serial0.56
> network 172.29.0.0
> distribute-list 4 out Serial0.4
> distance 105
> !
> router bgp 12
> no synchronization
> bgp log-neighbor-changes
> neighbor 192.168.1.1 remote-as 12
> neighbor 192.168.1.1 update-source Loopback0
> neighbor 192.168.5.5 remote-as 5
> neighbor 192.168.5.5 ebgp-multihop 5
> neighbor 192.168.5.5 update-source Loopback0
> neighbor 192.168.5.5 send-community
> neighbor 192.168.5.5 route-map tor5 out
> neighbor 192.168.6.6 remote-as 6
> neighbor 192.168.6.6 ebgp-multihop 5
> neighbor 192.168.6.6 update-source Loopback0
> neighbor 192.168.6.6 send-community
> neighbor 192.168.6.6 route-map tor6 out
> no auto-summary
> !
> ip kerberos source-interface any
> ip classless
> ip http server
> !
> !
> ip access-list extended trusted
> permit tcp any any reflect tcp-sessions
> ip access-list extended untrusted
> permit ospf any any
> permit tcp any any eq bgp
> evaluate tcp-sessions
> access-list 1 permit 172.29.40.0 0.0.0.255
> access-list 1 permit 192.168.4.0 0.0.0.255
> access-list 2 permit 172.29.24.0 0.0.0.255
> access-list 4 deny 172.29.25.0 0.0.0.255
> access-list 4 permit any
> access-list 11 permit 10.12.1.0 0.0.0.255
> access-list 12 permit 10.12.2.0 0.0.0.255
> access-list 13 permit 10.12.3.0 0.0.0.255
> access-list 101 deny ip any host 224.0.0.5
> access-list 101 deny ip any host 224.0.0.6
> access-list 101 permit ip any any
> dialer-list 1 protocol ip list 101
> route-map c2r permit 10
> match ip address 3
> !
> route-map r2o permit 10
> match ip address 1
> !
> route-map o2r permit 10
> match ip address 4
> !
> route-map c2o permit 10
> match ip address 2
> !
> route-map tor5 permit 10
> match ip address 11
> set as-path prepend 100
> !
> route-map tor5 permit 20
> match ip address 12
> set as-path prepend 100 200
> !
> route-map tor5 permit 30
> match ip address 13
> set metric 275
> !
> route-map tor5 permit 40
> !
> route-map tor6 deny 10
> match ip address 11
> !
> route-map tor6 permit 20
> match ip address 12
> set as-path prepend 1200
> !
> route-map tor6 permit 30
> match ip address 13
> set community no-export
> !
> route-map tor6 permit 40
> !
> !
> alias exec i show ip route
> alias exec r show run
> alias exec c config t
> alias exec u undebug all
> alias exec b show ip bgp
> alias exec bs show ip bgp sum
> alias exec s show ip int brief
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> transport input none
> escape-character 27
> line aux 0
> line vty 0 4
> exec-timeout 0 0
> password bp
> login
> !
> end
>
> r2#
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

1

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:23 GMT-3