RE: Reflexive Access list

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Wed Jan 07 2004 - 20:09:56 GMT-3

• Next message: Brian McGahan: "RE: Pruning!"
• Previous message: Kaiser Anwar: "Re: Reflexive Access list"
• Maybe in reply to: Kaiser Anwar: "Reflexive Access list"
• Next in thread: Kaiser Anwar: "Re: Reflexive Access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        No it doesn't look like you have it configured correctly. How do
you have these lists applied? If the access-list "inside" is applied
outbound on the outside interface, the "permit ospf any any reflect
outbound" will not accomplish anything. Locally generated traffic does not
hit an outbound access-list.

        From what I assume you're trying to accomplish, your lists should
read as follows:

interface OUTSIDE
 ip access-group inside out
 ip access-group outside in
  
 ip access-list extended inside
  permit tcp any any reflect outbound
  permit udp any any reflect outbound
  permit icmp any any echo
  permit icmp any any echo-reply
 !
 ip access-list extended outside
  permit ospf any any
  permit icmp any any echo
  permit icmp any any echo-reply
  evaluate outbound

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)

> -----Original Message-----
> From: Kaiser Anwar [mailto:kaiseranwar@sbcglobal.net]
> Sent: Wednesday, January 07, 2004 5:02 PM
> To: Brian McGahan; ccielab@groupstudy.com
> Subject: Re: Reflexive Access list
>
> HI Brian,
> I did read the thread I am still little confused. I did
> configured it again.seems to be working But I wanted you to see if it is
> correctly configured.
>
> Thanks
>
> ip access-list extended inside
> evaluate outbound
> permit tcp any any reflect outbound
> permit udp any any reflect outbound
> permit ospf any any reflect outbound
> permit icmp any any echo
> permit icmp any any echo-reply
>
> ip access-list extended outside
> evaluate outbound
> permit ospf any any reflect inbound
> permit tcp any any reflect inbound
> permit udp any any reflect inbound
> permit icmp any any echo
> permit icmp any any echo-reply
>
> R1#sh ip access-lists inbound
> Reflexive IP access list inbound
> permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> pim-auto-rp (2 matches) (time left 75)
> permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> pim-auto-rp (14 matches) (time left 281)
> R1#sh ip access-lists outbound
> Reflexive IP access list outbound
> permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> pim-auto-rp (7 matches) (time left 243)
> permit udp host 224.0.0.9 eq rip host 165.10.100.3 eq rip (55 matches)
> (time left 280)
> permit ospf host 165.10.100.1 eq host 165.10.100.3 (13 matches)
> (time
> left 277)
> permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> pim-auto-rp (27 matches) (time left 270))
>
>
>
>
>
> ----- Original Message -----
> From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>; <ccielab@groupstudy.com>
> Sent: Wednesday, January 07, 2004 11:26 AM
> Subject: RE: Reflexive Access list
>
>
> > Kaiser,
> >
> > Normally you don't want to reflect when the traffic comes back in.
> > Check this post for more info:
> >
> > http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
> >
> >
> > HTH,
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 708-362-1418 (Outside the US and Canada)
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > Kaiser Anwar
> > > Sent: Wednesday, January 07, 2004 8:43 AM
> > > To: ccielab@groupstudy.com
> > > Subject: Reflexive Access list
> > >
> > > HI,
> > > I was testing a reflexive access in the practice lab.It seems to be
> > > working.
> > > But I wanted to be sure.
> > > here is the config. this is the understating I have for this that any
> > > traffic
> > > that goes out with reflect keyword it has to exist in outside
> access-list
> > > state table.
> > > Thanks in advance for your help.
> > >
> > > ip access-list extended inside
> > > permit ip any any reflect outbound
> > >
> > >
> > > ip access-list extended outside
> > > evaluate outbound
> > > permit ospf any any reflect inbound
> > > permit udp any any reflect inbound
> > > permit tcp any any reflect inbound
> > >
> > >
> > > Kaiser Anwar
> > >
> > >
> _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials
> from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: Brian McGahan: "RE: Pruning!"
• Previous message: Kaiser Anwar: "Re: Reflexive Access list"
• Maybe in reply to: Kaiser Anwar: "Reflexive Access list"
• Next in thread: Kaiser Anwar: "Re: Reflexive Access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:37 GMT-3