From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Thu Dec 18 2003 - 18:46:18 GMT-3
Looks like the latter part of my message got snipped.
The 2nd case is when the traffic is reflected as it comes in the inside
interface, and evaluated when coming in the outside interface:
Case 2: traffic reflected as it enters inside interface
interface Ethernet0/0
description To Inside Trusted Network
ip access-group OUTBOUND in
!
interface Serial0/0
description To Outside Untrusted Network
ip access-group INBOUND in
!
ip access-list extended INBOUND
evaluate REFLEXIVE
deny ip any any
!
ip access-list extended OUTBOUND
permit tcp any any reflect REFLEXIVE
permit udp any any reflect REFLEXIVE
permit icmp any any reflect REFLEXIVE
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Brian McGahan
> Sent: Thursday, December 18, 2003 11:55 AM
> To: 'David Deng'; rich@myhomemail.net; ccielab@groupstudy.com
> Subject: RE: Help reflecxive access list
>
> David,
>
> Your access-lists are misplaced from the normal design model of a
> stateful firewall (reflexive, cbac, pix, etc). A "stateful" firewall
> means
> that when traffic leaves the network it is noted in a state table. When
> traffic tries to come back into the network it is only allowed if there is
> a
> previously created entry in the state table. A reflexive list uses the
> same
> principle.
>
> When traffic is leaving the network it is "reflected" to the state
> table. When traffic tries to come back in it is "evaluated" to see if
> there
> is a previous entry in the state table. If there is no entry (and no
> explicit permit statement) the traffic is denied. Traffic is typically
> "reflected" as it is going out the outside interface connecting to the
> untrusted portion of the network. However, traffic may also be
> "reflected"
> as it is coming in the inside interface(s) connected to the trusted
> portion
> of the network. The latter case typically occurs when only certain types
> of
> traffic are allowed to move from the inside interface to the outside
> interface or only traffic from certain interfaces is reflected while
> others
> are not.
>
> . E0/0 S0/0
> Inside_trusted_network---R1---Outside_untrusted_network
> . -----traffic flow---->
>
> Case 1: traffic reflected as it leaves outside interface
>
> interface Serial0/0
> description To Outside Untrusted Network
> ip access-group INBOUND in
> ip access-group OUTBOUND out
> !
> ip access-list extended INBOUND
> evaluate REFLEXIVE
> deny ip any any
> !
> ip access-list extended OUTBOUND
> permit tcp any any reflect REFLEXIVE
> permit udp any any reflect REFLEXIVE
> permit icmp any any reflect REFLEXIVE
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 708-362-1418 (Outside the US and Canada)
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > David Deng
> > Sent: Thursday, December 18, 2003 1:45 AM
> > To: David Deng; rich@myhomemail.net; ccielab@groupstudy.com
> > Subject: Re: Help reflecxive access list
> >
> > I have also tried to add one statement each in the
> > access-lists to permit ospf. (permit ospf any any)
> >
> > also added one loopback interface on both end routers,
> > only spf2 router see the loopback route from DMI, when
> > try to ping DMI loopback address from sfp2, here is
> > what I got on DMI router:
> >
> > 1w2d: ICMP: echo reply sent, src 172.16.2.2, dst
> > 200.0.0.1
> > 1w2d: ICMP: dst (172.16.2.2) administratively
> > prohibited unreachable rcv from 100.0.0.2
> >
> > Looks like an acl issue.
> >
> > David
> >
> >
> >
> > --- David Deng <glend_99@yahoo.com> wrote:
> > > David,
> > >
> > >
> > > Here is the output of the sh access-list test.
> > >
> > >
> > > shadow1#sh access-lists test
> > > Reflexive IP access list test
> > > permit ospf host 224.0.0.5 eq host 200.0.0.1
> > > (2097 matches) (time left 2)
> > >
> > > More test has shown, the spf2 router has received
> > > the
> > > lookback route of the DMI, but DMI can not received
> > > the loopback route of spf2 through OSPF. this could
> > > be
> > > the problem.
> > >
> > > David
> > >
> > >
> > > shadow1#
> > > --- Richard Davidson <rich@myhomemail.net> wrote:
> > > > try:
> > > > show access-list test
> > > >
> > > > --- David Deng <glend_99@yahoo.com> wrote:
> > > > > Hi Group,
> > > > >
> > > > > I have a question on Reflecxive access list, the
> > > > > traffic should be able to pass through the
> > > middle
> > > > > router as long as it is initiated from within
> > > the
> > > > > internal network. But I can not achieve the
> > > > result.
> > > > >
> > > > > Here is my config and results.
> > > > > ping from sfp2 to 100.0.0.1 ... no response
> > > > > ping from DMI to 200.0.0.1 - UUU unreachable
> > > > >
> > > > >
> > > >
> > > spf2------------g1/0/13--shadow1--g1/0/14-------DMI
> > > > > .1 200.0.0.0 .2 .2 100.0.0.0
> > > .1
> > > > >
> > > > > shadow1#sh ip access-lists
> > > > > Extended IP access list in10
> > > > > 10 permit ospf any any reflect test (51
> > > > matches)
> > > > > 20 permit tcp any any reflect test
> > > > > 30 permit icmp any any reflect test
> > > > > Extended IP access list out10
> > > > > 10 evaluate test
> > > > > Reflexive IP access list test
> > > > > permit ospf host 200.0.0.2 eq host
> > > 200.0.0.1
> > > >
> > > > > (7
> > > > > matches) (time
> > > > > left 240)
> > > > > permit ospf host 224.0.0.5 eq host
> > > 200.0.0.1
> > > >
> > > > > (51 matches) (time
> > > > > left 295)
> > > > > shadow1#sh run int g1/0/13
> > > > > Building configuration...
> > > > >
> > > > > Current configuration : 142 bytes
> > > > > !
> > > > > interface GigabitEthernet1/0/13
> > > > > no switchport
> > > > > ip address 200.0.0.2 255.255.255.0
> > > > > ip access-group in10 in
> > > > > ip access-group out10 out
> > > > > end
> > > > >
> > > > >
> > > > >
> > > > > __________________________________
> > > > > Do you Yahoo!?
> > > > > Protect your identity with Yahoo! Mail
> > > > AddressGuard
> > > > > http://antispam.yahoo.com/whatsnewfree
> > > > >
> > > > >
> > > >
> > >
> > _______________________________________________________________________
> > > > > Please help support GroupStudy by purchasing
> > > your
> > > > > study materials from:
> > > > > http://shop.groupstudy.com
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > > =====
> > > > Richard Davidson
> > > > Yahoo IM: r1davidson
> > > > e-mail rich@myhomemail.net
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > Protect your identity with Yahoo! Mail AddressGuard
> > > http://antispam.yahoo.com/whatsnewfree
> > >
> > >
> > _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your
> > > study materials from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Protect your identity with Yahoo! Mail AddressGuard
> > http://antispam.yahoo.com/whatsnewfree
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:42 GMT-3