From: Kaiser Anwar (kaiseranwar@sbcglobal.net)
Date: Wed Jan 07 2004 - 20:30:27 GMT-3
This is how I have appl!
interface Serial0
ip address 165.10.100.1 255.255.255.240
ip access-group inside in
ip access-group outside out
ip pim nbma-mode
ip pim sparse-mode
----- Original Message -----
From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>; <ccielab@groupstudy.com>
Sent: Wednesday, January 07, 2004 5:09 PM
Subject: RE: Reflexive Access list
> No it doesn't look like you have it configured correctly. How do
> you have these lists applied? If the access-list "inside" is applied
> outbound on the outside interface, the "permit ospf any any reflect
> outbound" will not accomplish anything. Locally generated traffic does
not
> hit an outbound access-list.
>
> From what I assume you're trying to accomplish, your lists should
> read as follows:
>
> interface OUTSIDE
> ip access-group inside out
> ip access-group outside in
>
> ip access-list extended inside
> permit tcp any any reflect outbound
> permit udp any any reflect outbound
> permit icmp any any echo
> permit icmp any any echo-reply
> !
> ip access-list extended outside
> permit ospf any any
> permit icmp any any echo
> permit icmp any any echo-reply
> evaluate outbound
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 708-362-1418 (Outside the US and Canada)
>
>
> > -----Original Message-----
> > From: Kaiser Anwar [mailto:kaiseranwar@sbcglobal.net]
> > Sent: Wednesday, January 07, 2004 5:02 PM
> > To: Brian McGahan; ccielab@groupstudy.com
> > Subject: Re: Reflexive Access list
> >
> > HI Brian,
> > I did read the thread I am still little confused. I did
> > configured it again.seems to be working But I wanted you to see if it is
> > correctly configured.
> >
> > Thanks
> >
> > ip access-list extended inside
> > evaluate outbound
> > permit tcp any any reflect outbound
> > permit udp any any reflect outbound
> > permit ospf any any reflect outbound
> > permit icmp any any echo
> > permit icmp any any echo-reply
> >
> > ip access-list extended outside
> > evaluate outbound
> > permit ospf any any reflect inbound
> > permit tcp any any reflect inbound
> > permit udp any any reflect inbound
> > permit icmp any any echo
> > permit icmp any any echo-reply
> >
> > R1#sh ip access-lists inbound
> > Reflexive IP access list inbound
> > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> > pim-auto-rp (2 matches) (time left 75)
> > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> > pim-auto-rp (14 matches) (time left 281)
> > R1#sh ip access-lists outbound
> > Reflexive IP access list outbound
> > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> > pim-auto-rp (7 matches) (time left 243)
> > permit udp host 224.0.0.9 eq rip host 165.10.100.3 eq rip (55
matches)
> > (time left 280)
> > permit ospf host 165.10.100.1 eq host 165.10.100.3 (13 matches)
> > (time
> > left 277)
> > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> > pim-auto-rp (27 matches) (time left 270))
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
<ccielab@groupstudy.com>
> > Sent: Wednesday, January 07, 2004 11:26 AM
> > Subject: RE: Reflexive Access list
> >
> >
> > > Kaiser,
> > >
> > > Normally you don't want to reflect when the traffic comes back in.
> > > Check this post for more info:
> > >
> > > http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
> > >
> > >
> > > HTH,
> > >
> > > Brian McGahan, CCIE #8593
> > > bmcgahan@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Direct: 708-362-1418 (Outside the US and Canada)
> > >
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of
> > > > Kaiser Anwar
> > > > Sent: Wednesday, January 07, 2004 8:43 AM
> > > > To: ccielab@groupstudy.com
> > > > Subject: Reflexive Access list
> > > >
> > > > HI,
> > > > I was testing a reflexive access in the practice lab.It seems to be
> > > > working.
> > > > But I wanted to be sure.
> > > > here is the config. this is the understating I have for this that
any
> > > > traffic
> > > > that goes out with reflect keyword it has to exist in outside
> > access-list
> > > > state table.
> > > > Thanks in advance for your help.
> > > >
> > > > ip access-list extended inside
> > > > permit ip any any reflect outbound
> > > >
> > > >
> > > > ip access-list extended outside
> > > > evaluate outbound
> > > > permit ospf any any reflect inbound
> > > > permit udp any any reflect inbound
> > > > permit tcp any any reflect inbound
> > > >
> > > >
> > > > Kaiser Anwar
> > > >
> > > >
> > _______________________________________________________________________
> > > > Please help support GroupStudy by purchasing your study materials
> > from:
> > > > http://shop.groupstudy.com
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:37 GMT-3