RE: Reflexive access lists

From: Snow, Tim (timothy.snow@eds.com)
Date: Tue Oct 21 2003 - 06:51:17 GMT-3

• Next message: Casey, Paul (6822): "Small Question....MTU size"
• Previous message: Daniel Sheedy: "Re: Reflexive access lists"
• Maybe in reply to: Paul Chen: "Reflexive access lists"
• Next in thread: kasturi cisco: "RE: Reflexive access lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The problem that you are having is that reflexive ACL's will only work for
traffic that is passing through the router.

NAT has the same issue. Policy-routing has the same type of issue but there
is a nice fix for it "ip local policy" that will affect packets generated
from the router itself.

Trying adding a workstation behind R6 and see if it works.

Tim
#12042

-----Original Message-----
From: Paul Chen [mailto:cpjchen@starhub.net.sg]
Sent: Tuesday, October 21, 2003 4:20 AM
To: ccielab@groupstudy.com
Subject: Reflexive access lists

Hi All,

I have the following scenario,

R6 ----------FR -------------R13

I am configuring a reflexive access-list whereby i allow only telnet
sessions INITIATED FROM R6 to R13.

However, I am unable to get it to work. I already have tested and it works
normally without the access lists applied.

r6#telnet 173.3.200.13
Trying 173.3.200.13 ...
% Connection timed out; remote host not responding

R6:

 interface Serial1/1
 bandwidth 1544
 ip address 173.3.200.6 255.255.255.240

 ip access-group infilter in
 ip access-group outfilter out

 encapsulation frame-relay
  frame-relay map ip 173.3.200.13 613 broadcast

ip access-list extended infilter
 permit ospf any any
 permit tcp any any eq bgp
 permit icmp any any
 evaluate tcptraffic

ip access-list extended outfilter
 permit tcp any any eq telnet reflect tcptraffic

----------------------------------------------------------------------------
------------------------------------------------------------------------

Telnet initiated from R13 to R6 works using a different set of rules :

R6 :

ip access-list extended infilter
 permit ospf any any
 permit tcp any any eq bgp
 permit icmp any any
 permit tcp any any eq telnet reflect tcptraffic

ip access-list extended outfilter
 evaluate tcptraffic

r6#sh access-lists
Standard IP access list 66
    10 permit 208.1.1.0, wildcard bits 15.0.0.0 (44 matches) Extended IP
access list infilter
    10 permit ospf any any (6 matches)
    20 permit tcp any any eq bgp (4 matches)
    30 permit icmp any any
    40 permit tcp any any eq telnet reflect tcptraffic
Extended IP access list outfilter
    10 evaluate tcptraffic
Reflexive IP access list tcptraffic
     permit tcp host 173.3.6.6 eq telnet host 173.3.200.13 eq 11003 (19
matches)
 (time left 297)

Any help appreciated.

Thanks,
Paul

• Next message: Casey, Paul (6822): "Small Question....MTU size"
• Previous message: Daniel Sheedy: "Re: Reflexive access lists"
• Maybe in reply to: Paul Chen: "Reflexive access lists"
• Next in thread: kasturi cisco: "RE: Reflexive access lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:53:05 GMT-3