From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Thu Dec 18 2003 - 20:28:17 GMT-3
David,
This portion of your configuration looks fine. Take the list off.
Can you ping from 200.0.0.1 to 100.0.0.1? Put the list back on. How about
now? Here is a duplicate setup which behaves as it should:
Inside outside
R1-----R2-----R3
E0/0 S0/1
R1:
interface Ethernet0/0
ip address 200.0.0.1 255.0.0.0
!
router ospf 1
network 200.0.0.1 0.0.0.0 area 0
R2:
interface Ethernet0/0
ip address 200.0.0.2 255.0.0.0
!
interface Serial0/1
ip address 100.0.0.2 255.0.0.0
ip access-group in30 in
ip access-group out30 out
!
router ospf 1
network 100.0.0.2 0.0.0.0 area 0
network 200.0.0.2 0.0.0.0 area 0
!
ip access-list extended in30
permit ospf any any
evaluate test30
!
ip access-list extended out30
permit icmp any any reflect test30
permit tcp any any reflect test30
permit udp any any reflect test30
R3:
interface Serial1/3
ip address 100.0.0.1 255.0.0.0
!
router ospf 1
network 100.0.0.1 0.0.0.0 area 0
Traffic is denied when it is initiated from R3 to R1:
R3#ping 200.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.1, timeout is 2 seconds:
U.U.U
Traffic is permitted when it is initiated from R1 to R3:
R1#ping 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:
!!!!!
R2's reflexive list illustrates the state table for this traffic flow:
R2#sh access-list test30
Reflexive IP access list test30
permit icmp host 100.0.0.1 host 200.0.0.1 (10 matches) (time left 258)
What is the problem you are seeing?
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
> -----Original Message-----
> From: David Deng [mailto:glend_99@yahoo.com]
> Sent: Thursday, December 18, 2003 5:02 PM
> To: David Deng; Brian McGahan; rich@myhomemail.net; ccielab@groupstudy.com
> Subject: RE: Help reflecxive access list
>
> Forgot to memntion that after changing my config to
> match your suggestion, it still did not work.
> Maybe I am missing something here.
>
>
>
> Int. net ext. net
> g1/0/13 g1/0/14
> sfp2 -----------shadow1------------DMI
> .1 200.0.0.0 .2 .2 100.0.0.0 .1
>
> shadow1#sh run int g1/0/14
> interface GigabitEthernet1/0/14
> no switchport
> ip address 100.0.0.2 255.255.255.0
> ip access-group in30 in
> ip access-group out30 out
>
>
> shadow1#sh access-lists
> Extended IP access list in30
> 10 permit ospf any any (352 matches)
> 20 evaluate test30
> Extended IP access list out30
> 10 permit ospf any any
> 20 permit icmp any any reflect test30
> 30 permit tcp any any reflect test30
> 40 permit udp any any reflect test30
> Reflexive IP access list test30
> spf-2#sh ip route
> Gateway of last resort is not set
>
> 100.0.0.0/24 is subnetted, 1 subnets
> O 100.0.0.0 [110/2] via 200.0.0.2, 15:22:34,
> GigabitEthernet1/0/3
> C 200.0.0.0/24 is directly connected,
> GigabitEthernet1/0/3
> 172.16.0.0/32 is subnetted, 1 subnets
> O 172.16.2.2 [110/3] via 200.0.0.2, 15:22:34,
> GigabitEthernet1/0/3
> 192.168.1.0/32 is subnetted, 1 subnets
> C 192.168.1.1 is directly connected, Loopback1
>
> DMI#sh ip route
> 100.0.0.0/24 is subnetted, 1 subnets
> C 100.0.0.0 is directly connected,
> GigabitEthernet3/0/23
> O 200.0.0.0/24 [110/2] via 100.0.0.2, 14:56:02,
> GigabitEthernet3/0/23
> 172.16.0.0/32 is subnetted, 1 subnets
> C 172.16.2.2 is directly connected, Loopback0
> DMI#
>
>
> --- David Deng <glend_99@yahoo.com> wrote:
> > Hi Brian,
> >
> > Thanks for the explanation. However I can see why it
> > didn't work for two reasons in my setup.
> >
> > 1. The routing table does not install the routes on
> > one side even though I have premit OSPF on both
> > sides
> > , the permitting OSPF is not part of ACL so it would
> > be independant of reflexive ACL, I was not able to
> > accomplish that.
> >
> > 2. The temperoary entry did not get created so when
> > traffic coming back, it got administartively
> > prohibited.
> >
> >
> > Any suggestions ?
> >
> > Regards,
> > David
> > --- Brian McGahan <bmcgahan@internetworkexpert.com>
> > wrote:
> > > Looks like the latter part of my message got
> > > snipped.
> > >
> > > The 2nd case is when the traffic is reflected as
> > it
> > > comes in the inside
> > > interface, and evaluated when coming in the
> > outside
> > > interface:
> > >
> > > Case 2: traffic reflected as it enters inside
> > > interface
> > >
> > > interface Ethernet0/0
> > > description To Inside Trusted Network
> > > ip access-group OUTBOUND in
> > > !
> > > interface Serial0/0
> > > description To Outside Untrusted Network
> > > ip access-group INBOUND in
> > > !
> > > ip access-list extended INBOUND
> > > evaluate REFLEXIVE
> > > deny ip any any
> > > !
> > > ip access-list extended OUTBOUND
> > > permit tcp any any reflect REFLEXIVE
> > > permit udp any any reflect REFLEXIVE
> > > permit icmp any any reflect REFLEXIVE
> > > Brian McGahan, CCIE #8593
> > > bmcgahan@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Direct: 708-362-1418 (Outside the US and Canada)
> > >
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com
> > > [mailto:nobody@groupstudy.com] On Behalf Of
> > > > Brian McGahan
> > > > Sent: Thursday, December 18, 2003 11:55 AM
> > > > To: 'David Deng'; rich@myhomemail.net;
> > > ccielab@groupstudy.com
> > > > Subject: RE: Help reflecxive access list
> > > >
> > > > David,
> > > >
> > > > Your access-lists are misplaced from the normal
> > > design model of a
> > > > stateful firewall (reflexive, cbac, pix, etc).
> > A
> > > "stateful" firewall
> > > > means
> > > > that when traffic leaves the network it is noted
> > > in a state table. When
> > > > traffic tries to come back into the network it
> > is
> > > only allowed if there is
> > > > a
> > > > previously created entry in the state table. A
> > > reflexive list uses the
> > > > same
> > > > principle.
> > > >
> > > > When traffic is leaving the network it is
> > > "reflected" to the state
> > > > table. When traffic tries to come back in it is
> > > "evaluated" to see if
> > > > there
> > > > is a previous entry in the state table. If
> > there
> > > is no entry (and no
> > > > explicit permit statement) the traffic is
> > denied.
> > > Traffic is typically
> > > > "reflected" as it is going out the outside
> > > interface connecting to the
> > > > untrusted portion of the network. However,
> > > traffic may also be
> > > > "reflected"
> > > > as it is coming in the inside interface(s)
> > > connected to the trusted
> > > > portion
> > > > of the network. The latter case typically
> > occurs
> > > when only certain types
> > > > of
> > > > traffic are allowed to move from the inside
> > > interface to the outside
> > > > interface or only traffic from certain
> > interfaces
> > > is reflected while
> > > > others
> > > > are not.
> > > >
> > > > . E0/0 S0/0
> > > >
> > >
> >
> Inside_trusted_network---R1---Outside_untrusted_network
> > > > . -----traffic flow---->
> > > >
> > > > Case 1: traffic reflected as it leaves outside
> > > interface
> > > >
> > > > interface Serial0/0
> > > > description To Outside Untrusted Network
> > > > ip access-group INBOUND in
> > > > ip access-group OUTBOUND out
> > > > !
> > > > ip access-list extended INBOUND
> > > > evaluate REFLEXIVE
> > > > deny ip any any
> > > > !
> > > > ip access-list extended OUTBOUND
> > > > permit tcp any any reflect REFLEXIVE
> > > > permit udp any any reflect REFLEXIVE
> > > > permit icmp any any reflect REFLEXIVE
> > > >
> > > > Brian McGahan, CCIE #8593
> > > > bmcgahan@internetworkexpert.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > > > Toll Free: 877-224-8987
> > > > Direct: 708-362-1418 (Outside the US and Canada)
> > > >
> > > >
> > > >
>
> __________________________________
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard
> http://antispam.yahoo.com/whatsnewfree
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:43 GMT-3