From: David Deng (glend_99@yahoo.com)
Date: Thu Dec 18 2003 - 19:47:57 GMT-3
Hi Brian,
Thanks for the explanation. However I can see why it
didn't work for two reasons in my setup.
1. The routing table does not install the routes on
one side even though I have premit OSPF on both sides
, the permitting OSPF is not part of ACL so it would
be independant of reflexive ACL, I was not able to
accomplish that.
2. The temperoary entry did not get created so when
traffic coming back, it got administartively
prohibited.
Any suggestions ?
Regards,
David
--- Brian McGahan <bmcgahan@internetworkexpert.com>
wrote:
> Looks like the latter part of my message got
> snipped.
>
> The 2nd case is when the traffic is reflected as it
> comes in the inside
> interface, and evaluated when coming in the outside
> interface:
>
> Case 2: traffic reflected as it enters inside
> interface
>
> interface Ethernet0/0
> description To Inside Trusted Network
> ip access-group OUTBOUND in
> !
> interface Serial0/0
> description To Outside Untrusted Network
> ip access-group INBOUND in
> !
> ip access-list extended INBOUND
> evaluate REFLEXIVE
> deny ip any any
> !
> ip access-list extended OUTBOUND
> permit tcp any any reflect REFLEXIVE
> permit udp any any reflect REFLEXIVE
> permit icmp any any reflect REFLEXIVE
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 708-362-1418 (Outside the US and Canada)
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> > Brian McGahan
> > Sent: Thursday, December 18, 2003 11:55 AM
> > To: 'David Deng'; rich@myhomemail.net;
> ccielab@groupstudy.com
> > Subject: RE: Help reflecxive access list
> >
> > David,
> >
> > Your access-lists are misplaced from the normal
> design model of a
> > stateful firewall (reflexive, cbac, pix, etc). A
> "stateful" firewall
> > means
> > that when traffic leaves the network it is noted
> in a state table. When
> > traffic tries to come back into the network it is
> only allowed if there is
> > a
> > previously created entry in the state table. A
> reflexive list uses the
> > same
> > principle.
> >
> > When traffic is leaving the network it is
> "reflected" to the state
> > table. When traffic tries to come back in it is
> "evaluated" to see if
> > there
> > is a previous entry in the state table. If there
> is no entry (and no
> > explicit permit statement) the traffic is denied.
> Traffic is typically
> > "reflected" as it is going out the outside
> interface connecting to the
> > untrusted portion of the network. However,
> traffic may also be
> > "reflected"
> > as it is coming in the inside interface(s)
> connected to the trusted
> > portion
> > of the network. The latter case typically occurs
> when only certain types
> > of
> > traffic are allowed to move from the inside
> interface to the outside
> > interface or only traffic from certain interfaces
> is reflected while
> > others
> > are not.
> >
> > . E0/0 S0/0
> >
>
Inside_trusted_network---R1---Outside_untrusted_network
> > . -----traffic flow---->
> >
> > Case 1: traffic reflected as it leaves outside
> interface
> >
> > interface Serial0/0
> > description To Outside Untrusted Network
> > ip access-group INBOUND in
> > ip access-group OUTBOUND out
> > !
> > ip access-list extended INBOUND
> > evaluate REFLEXIVE
> > deny ip any any
> > !
> > ip access-list extended OUTBOUND
> > permit tcp any any reflect REFLEXIVE
> > permit udp any any reflect REFLEXIVE
> > permit icmp any any reflect REFLEXIVE
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 708-362-1418 (Outside the US and Canada)
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> > > David Deng
> > > Sent: Thursday, December 18, 2003 1:45 AM
> > > To: David Deng; rich@myhomemail.net;
> ccielab@groupstudy.com
> > > Subject: Re: Help reflecxive access list
> > >
> > > I have also tried to add one statement each in
> the
> > > access-lists to permit ospf. (permit ospf any
> any)
> > >
> > > also added one loopback interface on both end
> routers,
> > > only spf2 router see the loopback route from
> DMI, when
> > > try to ping DMI loopback address from sfp2, here
> is
> > > what I got on DMI router:
> > >
> > > 1w2d: ICMP: echo reply sent, src 172.16.2.2, dst
> > > 200.0.0.1
> > > 1w2d: ICMP: dst (172.16.2.2) administratively
> > > prohibited unreachable rcv from 100.0.0.2
> > >
> > > Looks like an acl issue.
> > >
> > > David
> > >
> > >
> > >
> > > --- David Deng <glend_99@yahoo.com> wrote:
> > > > David,
> > > >
> > > >
> > > > Here is the output of the sh access-list test.
> > > >
> > > >
> > > > shadow1#sh access-lists test
> > > > Reflexive IP access list test
> > > > permit ospf host 224.0.0.5 eq host
> 200.0.0.1
> > > > (2097 matches) (time left 2)
> > > >
> > > > More test has shown, the spf2 router has
> received
> > > > the
> > > > lookback route of the DMI, but DMI can not
> received
> > > > the loopback route of spf2 through OSPF. this
> could
> > > > be
> > > > the problem.
> > > >
> > > > David
> > > >
> > > >
> > > > shadow1#
> > > > --- Richard Davidson <rich@myhomemail.net>
> wrote:
> > > > > try:
> > > > > show access-list test
> > > > >
> > > > > --- David Deng <glend_99@yahoo.com> wrote:
> > > > > > Hi Group,
> > > > > >
> > > > > > I have a question on Reflecxive access
> list, the
> > > > > > traffic should be able to pass through the
> > > > middle
> > > > > > router as long as it is initiated from
> within
> > > > the
> > > > > > internal network. But I can not achieve
> the
> > > > > result.
> > > > > >
> > > > > > Here is my config and results.
> > > > > > ping from sfp2 to 100.0.0.1 ... no
> response
>
=== message truncated ===
__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:43 GMT-3