From: David Deng (glend_99@yahoo.com)
Date: Thu Dec 18 2003 - 20:02:06 GMT-3
Forgot to memntion that after changing my config to
match your suggestion, it still did not work.
Maybe I am missing something here.
Int. net ext. net
g1/0/13 g1/0/14
sfp2 -----------shadow1------------DMI
.1 200.0.0.0 .2 .2 100.0.0.0 .1
shadow1#sh run int g1/0/14
interface GigabitEthernet1/0/14
no switchport
ip address 100.0.0.2 255.255.255.0
ip access-group in30 in
ip access-group out30 out
shadow1#sh access-lists
Extended IP access list in30
10 permit ospf any any (352 matches)
20 evaluate test30
Extended IP access list out30
10 permit ospf any any
20 permit icmp any any reflect test30
30 permit tcp any any reflect test30
40 permit udp any any reflect test30
Reflexive IP access list test30
spf-2#sh ip route
Gateway of last resort is not set
100.0.0.0/24 is subnetted, 1 subnets
O 100.0.0.0 [110/2] via 200.0.0.2, 15:22:34,
GigabitEthernet1/0/3
C 200.0.0.0/24 is directly connected,
GigabitEthernet1/0/3
172.16.0.0/32 is subnetted, 1 subnets
O 172.16.2.2 [110/3] via 200.0.0.2, 15:22:34,
GigabitEthernet1/0/3
192.168.1.0/32 is subnetted, 1 subnets
C 192.168.1.1 is directly connected, Loopback1
DMI#sh ip route
100.0.0.0/24 is subnetted, 1 subnets
C 100.0.0.0 is directly connected,
GigabitEthernet3/0/23
O 200.0.0.0/24 [110/2] via 100.0.0.2, 14:56:02,
GigabitEthernet3/0/23
172.16.0.0/32 is subnetted, 1 subnets
C 172.16.2.2 is directly connected, Loopback0
DMI#
--- David Deng <glend_99@yahoo.com> wrote:
> Hi Brian,
>
> Thanks for the explanation. However I can see why it
> didn't work for two reasons in my setup.
>
> 1. The routing table does not install the routes on
> one side even though I have premit OSPF on both
> sides
> , the permitting OSPF is not part of ACL so it would
> be independant of reflexive ACL, I was not able to
> accomplish that.
>
> 2. The temperoary entry did not get created so when
> traffic coming back, it got administartively
> prohibited.
>
>
> Any suggestions ?
>
> Regards,
> David
> --- Brian McGahan <bmcgahan@internetworkexpert.com>
> wrote:
> > Looks like the latter part of my message got
> > snipped.
> >
> > The 2nd case is when the traffic is reflected as
> it
> > comes in the inside
> > interface, and evaluated when coming in the
> outside
> > interface:
> >
> > Case 2: traffic reflected as it enters inside
> > interface
> >
> > interface Ethernet0/0
> > description To Inside Trusted Network
> > ip access-group OUTBOUND in
> > !
> > interface Serial0/0
> > description To Outside Untrusted Network
> > ip access-group INBOUND in
> > !
> > ip access-list extended INBOUND
> > evaluate REFLEXIVE
> > deny ip any any
> > !
> > ip access-list extended OUTBOUND
> > permit tcp any any reflect REFLEXIVE
> > permit udp any any reflect REFLEXIVE
> > permit icmp any any reflect REFLEXIVE
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 708-362-1418 (Outside the US and Canada)
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > > Brian McGahan
> > > Sent: Thursday, December 18, 2003 11:55 AM
> > > To: 'David Deng'; rich@myhomemail.net;
> > ccielab@groupstudy.com
> > > Subject: RE: Help reflecxive access list
> > >
> > > David,
> > >
> > > Your access-lists are misplaced from the normal
> > design model of a
> > > stateful firewall (reflexive, cbac, pix, etc).
> A
> > "stateful" firewall
> > > means
> > > that when traffic leaves the network it is noted
> > in a state table. When
> > > traffic tries to come back into the network it
> is
> > only allowed if there is
> > > a
> > > previously created entry in the state table. A
> > reflexive list uses the
> > > same
> > > principle.
> > >
> > > When traffic is leaving the network it is
> > "reflected" to the state
> > > table. When traffic tries to come back in it is
> > "evaluated" to see if
> > > there
> > > is a previous entry in the state table. If
> there
> > is no entry (and no
> > > explicit permit statement) the traffic is
> denied.
> > Traffic is typically
> > > "reflected" as it is going out the outside
> > interface connecting to the
> > > untrusted portion of the network. However,
> > traffic may also be
> > > "reflected"
> > > as it is coming in the inside interface(s)
> > connected to the trusted
> > > portion
> > > of the network. The latter case typically
> occurs
> > when only certain types
> > > of
> > > traffic are allowed to move from the inside
> > interface to the outside
> > > interface or only traffic from certain
> interfaces
> > is reflected while
> > > others
> > > are not.
> > >
> > > . E0/0 S0/0
> > >
> >
>
Inside_trusted_network---R1---Outside_untrusted_network
> > > . -----traffic flow---->
> > >
> > > Case 1: traffic reflected as it leaves outside
> > interface
> > >
> > > interface Serial0/0
> > > description To Outside Untrusted Network
> > > ip access-group INBOUND in
> > > ip access-group OUTBOUND out
> > > !
> > > ip access-list extended INBOUND
> > > evaluate REFLEXIVE
> > > deny ip any any
> > > !
> > > ip access-list extended OUTBOUND
> > > permit tcp any any reflect REFLEXIVE
> > > permit udp any any reflect REFLEXIVE
> > > permit icmp any any reflect REFLEXIVE
> > >
> > > Brian McGahan, CCIE #8593
> > > bmcgahan@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Direct: 708-362-1418 (Outside the US and Canada)
> > >
> > >
> > >
__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:43 GMT-3