From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Thu Dec 18 2003 - 14:54:57 GMT-3
David,
Your access-lists are misplaced from the normal design model of a
stateful firewall (reflexive, cbac, pix, etc). A "stateful" firewall means
that when traffic leaves the network it is noted in a state table. When
traffic tries to come back into the network it is only allowed if there is a
previously created entry in the state table. A reflexive list uses the same
principle.
When traffic is leaving the network it is "reflected" to the state
table. When traffic tries to come back in it is "evaluated" to see if there
is a previous entry in the state table. If there is no entry (and no
explicit permit statement) the traffic is denied. Traffic is typically
"reflected" as it is going out the outside interface connecting to the
untrusted portion of the network. However, traffic may also be "reflected"
as it is coming in the inside interface(s) connected to the trusted portion
of the network. The latter case typically occurs when only certain types of
traffic are allowed to move from the inside interface to the outside
interface or only traffic from certain interfaces is reflected while others
are not.
. E0/0 S0/0
Inside_trusted_network---R1---Outside_untrusted_network
. -----traffic flow---->
Case 1: traffic reflected as it leaves outside interface
interface Serial0/0
description To Outside Untrusted Network
ip access-group INBOUND in
ip access-group OUTBOUND out
!
ip access-list extended INBOUND
evaluate REFLEXIVE
deny ip any any
!
ip access-list extended OUTBOUND
permit tcp any any reflect REFLEXIVE
permit udp any any reflect REFLEXIVE
permit icmp any any reflect REFLEXIVE
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> David Deng
> Sent: Thursday, December 18, 2003 1:45 AM
> To: David Deng; rich@myhomemail.net; ccielab@groupstudy.com
> Subject: Re: Help reflecxive access list
>
> I have also tried to add one statement each in the
> access-lists to permit ospf. (permit ospf any any)
>
> also added one loopback interface on both end routers,
> only spf2 router see the loopback route from DMI, when
> try to ping DMI loopback address from sfp2, here is
> what I got on DMI router:
>
> 1w2d: ICMP: echo reply sent, src 172.16.2.2, dst
> 200.0.0.1
> 1w2d: ICMP: dst (172.16.2.2) administratively
> prohibited unreachable rcv from 100.0.0.2
>
> Looks like an acl issue.
>
> David
>
>
>
> --- David Deng <glend_99@yahoo.com> wrote:
> > David,
> >
> >
> > Here is the output of the sh access-list test.
> >
> >
> > shadow1#sh access-lists test
> > Reflexive IP access list test
> > permit ospf host 224.0.0.5 eq host 200.0.0.1
> > (2097 matches) (time left 2)
> >
> > More test has shown, the spf2 router has received
> > the
> > lookback route of the DMI, but DMI can not received
> > the loopback route of spf2 through OSPF. this could
> > be
> > the problem.
> >
> > David
> >
> >
> > shadow1#
> > --- Richard Davidson <rich@myhomemail.net> wrote:
> > > try:
> > > show access-list test
> > >
> > > --- David Deng <glend_99@yahoo.com> wrote:
> > > > Hi Group,
> > > >
> > > > I have a question on Reflecxive access list, the
> > > > traffic should be able to pass through the
> > middle
> > > > router as long as it is initiated from within
> > the
> > > > internal network. But I can not achieve the
> > > result.
> > > >
> > > > Here is my config and results.
> > > > ping from sfp2 to 100.0.0.1 ... no response
> > > > ping from DMI to 200.0.0.1 - UUU unreachable
> > > >
> > > >
> > >
> > spf2------------g1/0/13--shadow1--g1/0/14-------DMI
> > > > .1 200.0.0.0 .2 .2 100.0.0.0
> > .1
> > > >
> > > > shadow1#sh ip access-lists
> > > > Extended IP access list in10
> > > > 10 permit ospf any any reflect test (51
> > > matches)
> > > > 20 permit tcp any any reflect test
> > > > 30 permit icmp any any reflect test
> > > > Extended IP access list out10
> > > > 10 evaluate test
> > > > Reflexive IP access list test
> > > > permit ospf host 200.0.0.2 eq host
> > 200.0.0.1
> > >
> > > > (7
> > > > matches) (time
> > > > left 240)
> > > > permit ospf host 224.0.0.5 eq host
> > 200.0.0.1
> > >
> > > > (51 matches) (time
> > > > left 295)
> > > > shadow1#sh run int g1/0/13
> > > > Building configuration...
> > > >
> > > > Current configuration : 142 bytes
> > > > !
> > > > interface GigabitEthernet1/0/13
> > > > no switchport
> > > > ip address 200.0.0.2 255.255.255.0
> > > > ip access-group in10 in
> > > > ip access-group out10 out
> > > > end
> > > >
> > > >
> > > >
> > > > __________________________________
> > > > Do you Yahoo!?
> > > > Protect your identity with Yahoo! Mail
> > > AddressGuard
> > > > http://antispam.yahoo.com/whatsnewfree
> > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > Please help support GroupStudy by purchasing
> > your
> > > > study materials from:
> > > > http://shop.groupstudy.com
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > =====
> > > Richard Davidson
> > > Yahoo IM: r1davidson
> > > e-mail rich@myhomemail.net
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Protect your identity with Yahoo! Mail AddressGuard
> > http://antispam.yahoo.com/whatsnewfree
> >
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your
> > study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> __________________________________
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard
> http://antispam.yahoo.com/whatsnewfree
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:42 GMT-3