Access-list - Reflective - Local router cannot pass ACL

From: Ken.Farrington@barclayscapital.com
Date: Mon Oct 27 2003 - 14:29:33 GMT-3

• Next message: David Deng: "RE: remove the /32 host route for PPPOA virtual Access int"
• Previous message: trouse@cisco.com: "BGP path selection and synchronization."
• Next in thread: Ozgur Guler (Garanti Teknoloji): "RE: Access-list - Reflective - Local router cannot pass ACL"
• Maybe reply: Ozgur Guler (Garanti Teknoloji): "RE: Access-list - Reflective - Local router cannot pass ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

All, I have this problem, and I think I am missing a config line on mmy
router to make this work.

    ip200.200.1.1 .2 .2
ip200.201.1.1
          fa0 fa0 fa1 fa0
 
Testrtr1----------------------Testrtr2--------------------------Testrtr3

I apply the ACLs below to fa0 of testrtr2. then from testrtr2, i cannot
ping testrtr1 and I have tried using a source address of fa1 on testrtr2.
NOW, from testrtr3, I can ping testrtr1 and you can see it creates the
RACL.

There must be some local ip setting on the router or something for me to be
able to ping from rtr2 to rtr1 and use the ACLs? If so, have lost the plot
and cannot figure this out.

Could any please advise?

!
interface FastEthernet0
 ip address 200.200.1.2 255.255.255.0
 ip access-group icmp-in in
 ip access-group icmp-out out
 no ip route-cache
!
!
ip access-list extended icmp-in
 evaluate icmp-racl
ip access-list extended icmp-out
 permit icmp any any reflect icmp-racl
!
end

ACL when i ping from rtr2

TEST2#sh ip access-list
Extended IP access list icmp-in
    evaluate icmp-racl
Extended IP access list icmp-out
    permit icmp any any reflect icmp-racl
Reflexive IP access list icmp-racl

ACL when I ping from rtr3

TEST2#sh ip access-list
Extended IP access list icmp-in
    evaluate icmp-racl
!
Extended IP access list icmp-out
    permit icmp any any reflect icmp-racl
!
Reflexive IP access list icmp-racl
    permit icmp host 200.200.1.1 host 200.201.1.1 (15 matches) (time left
787429)
TEST2#

------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.

Internet communications are not secure and therefore the Barclays
Group does not accept legal responsibility for the contents of this
message. Although the Barclays Group operates anti-virus programmes,
it does not accept responsibility for any damage whatsoever that is
caused by viruses being passed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of the
Barclays Group. Replies to this email may be monitored by the Barclays
Group for operational or business reasons.

------------------------------------------------------------------------

• Next message: David Deng: "RE: remove the /32 host route for PPPOA virtual Access int"
• Previous message: trouse@cisco.com: "BGP path selection and synchronization."
• Next in thread: Ozgur Guler (Garanti Teknoloji): "RE: Access-list - Reflective - Local router cannot pass ACL"
• Maybe reply: Ozgur Guler (Garanti Teknoloji): "RE: Access-list - Reflective - Local router cannot pass ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:53:09 GMT-3