Re: Reflexive access lists

From: Daniel Sheedy (dansheedy@gmx.net)
Date: Tue Oct 21 2003 - 06:44:31 GMT-3

• Next message: Snow, Tim: "RE: Reflexive access lists"
• Previous message: Weidong Xiao: "RE: Internetwork Expert Upcoming Workbook (Some thoughts)"
• Maybe in reply to: Paul Chen: "Reflexive access lists"
• Next in thread: Snow, Tim: "RE: Reflexive access lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Paul,

Do Reflexive Access lists work from the router that the reflexive lists are
actually on? I thought it applied these lists to the traffic that
tranversed the router?

Daniel Sheedy

----- Original Message -----
From: "Paul Chen" <cpjchen@starhub.net.sg>
To: <ccielab@groupstudy.com>
Sent: Tuesday, October 21, 2003 10:19 AM
Subject: Reflexive access lists

> Hi All,
>
> I have the following scenario,
>
> R6 ----------FR -------------R13
>
> I am configuring a reflexive access-list whereby i allow only telnet
> sessions INITIATED FROM R6 to R13.
>
> However, I am unable to get it to work. I already have tested and it
works
> normally without the access lists applied.
>
> r6#telnet 173.3.200.13
> Trying 173.3.200.13 ...
> % Connection timed out; remote host not responding
>
>
> R6:
>
> interface Serial1/1
> bandwidth 1544
> ip address 173.3.200.6 255.255.255.240
>
> ip access-group infilter in
> ip access-group outfilter out
>
> encapsulation frame-relay
> frame-relay map ip 173.3.200.13 613 broadcast
>
>
> ip access-list extended infilter
> permit ospf any any
> permit tcp any any eq bgp
> permit icmp any any
> evaluate tcptraffic
>
> ip access-list extended outfilter
> permit tcp any any eq telnet reflect tcptraffic
>
> --------------------------------------------------------------------------

--
> ------------------------------------------------------------------------
>
> Telnet initiated from R13 to R6 works using a different set of rules :
>
>
> R6 :
>
> ip access-list extended infilter
>  permit ospf any any
>  permit tcp any any eq bgp
>  permit icmp any any
>  permit tcp any any eq telnet reflect tcptraffic
>
> ip access-list extended outfilter
>  evaluate tcptraffic
>
> r6#sh access-lists
> Standard IP access list 66
>     10 permit 208.1.1.0, wildcard bits 15.0.0.0 (44 matches)
> Extended IP access list infilter
>     10 permit ospf any any (6 matches)
>     20 permit tcp any any eq bgp (4 matches)
>     30 permit icmp any any
>     40 permit tcp any any eq telnet reflect tcptraffic
> Extended IP access list outfilter
>     10 evaluate tcptraffic
> Reflexive IP access list tcptraffic
>      permit tcp host 173.3.6.6 eq telnet host 173.3.200.13 eq 11003 (19
> matches)
>  (time left 297)
>
>
>
> Any help appreciated.
>
> Thanks,
> Paul
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Snow, Tim: "RE: Reflexive access lists"
• Previous message: Weidong Xiao: "RE: Internetwork Expert Upcoming Workbook (Some thoughts)"
• Maybe in reply to: Paul Chen: "Reflexive access lists"
• Next in thread: Snow, Tim: "RE: Reflexive access lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:53:05 GMT-3