Re: Reflexive Access list

From: wangstone373 (wangstone373@hotmail.com)
Date: Thu Jan 08 2004 - 03:14:37 GMT-3

• Next message: Dina Kamal: "RE: Reflexive Access list"
• Previous message: Kaiser Anwar: "Re: Reflexive Access list"
• Maybe in reply to: Kaiser Anwar: "Reflexive Access list"
• Next in thread: Dina Kamal: "RE: Reflexive Access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

HI
   I think the outside and inside is wrong of Brian.,
Reflective ACL will check outbound traffic and will open a tunnel from outside. So "evaluate " will loacted in dirction and "reflect" will appply out direction.
----- Original Message -----
From: "Kaiser Anwar" <kaiseranwar@sbcglobal.net>
To: "Brian McGahan" <bmcgahan@internetworkexpert.com>; <ccielab@groupstudy.com>
Sent: Thursday, January 08, 2004 7:30 AM
Subject: Re: Reflexive Access list

> This is how I have appl!
> interface Serial0
> ip address 165.10.100.1 255.255.255.240
> ip access-group inside in
> ip access-group outside out
> ip pim nbma-mode
> ip pim sparse-mode
>
>
> ----- Original Message -----
> From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>; <ccielab@groupstudy.com>
> Sent: Wednesday, January 07, 2004 5:09 PM
> Subject: RE: Reflexive Access list
>
>
> > No it doesn't look like you have it configured correctly. How do
> > you have these lists applied? If the access-list "inside" is applied
> > outbound on the outside interface, the "permit ospf any any reflect
> > outbound" will not accomplish anything. Locally generated traffic does
> not
> > hit an outbound access-list.
> >
> > From what I assume you're trying to accomplish, your lists should
> > read as follows:
> >
> > interface OUTSIDE
> > ip access-group inside out
> > ip access-group outside in
> >
> > ip access-list extended inside
> > permit tcp any any reflect outbound
> > permit udp any any reflect outbound
> > permit icmp any any echo
> > permit icmp any any echo-reply
> > !
> > ip access-list extended outside
> > permit ospf any any
> > permit icmp any any echo
> > permit icmp any any echo-reply
> > evaluate outbound
> >
> >
> > HTH,
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 708-362-1418 (Outside the US and Canada)
> >
> >
> > > -----Original Message-----
> > > From: Kaiser Anwar [mailto:kaiseranwar@sbcglobal.net]
> > > Sent: Wednesday, January 07, 2004 5:02 PM
> > > To: Brian McGahan; ccielab@groupstudy.com
> > > Subject: Re: Reflexive Access list
> > >
> > > HI Brian,
> > > I did read the thread I am still little confused. I did
> > > configured it again.seems to be working But I wanted you to see if it is
> > > correctly configured.
> > >
> > > Thanks
> > >
> > > ip access-list extended inside
> > > evaluate outbound
> > > permit tcp any any reflect outbound
> > > permit udp any any reflect outbound
> > > permit ospf any any reflect outbound
> > > permit icmp any any echo
> > > permit icmp any any echo-reply
> > >
> > > ip access-list extended outside
> > > evaluate outbound
> > > permit ospf any any reflect inbound
> > > permit tcp any any reflect inbound
> > > permit udp any any reflect inbound
> > > permit icmp any any echo
> > > permit icmp any any echo-reply
> > >
> > > R1#sh ip access-lists inbound
> > > Reflexive IP access list inbound
> > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> > > pim-auto-rp (2 matches) (time left 75)
> > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> > > pim-auto-rp (14 matches) (time left 281)
> > > R1#sh ip access-lists outbound
> > > Reflexive IP access list outbound
> > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> > > pim-auto-rp (7 matches) (time left 243)
> > > permit udp host 224.0.0.9 eq rip host 165.10.100.3 eq rip (55
> matches)
> > > (time left 280)
> > > permit ospf host 165.10.100.1 eq host 165.10.100.3 (13 matches)
> > > (time
> > > left 277)
> > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> > > pim-auto-rp (27 matches) (time left 270))
> > >
> > >
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
> <ccielab@groupstudy.com>
> > > Sent: Wednesday, January 07, 2004 11:26 AM
> > > Subject: RE: Reflexive Access list
> > >
> > >
> > > > Kaiser,
> > > >
> > > > Normally you don't want to reflect when the traffic comes back in.
> > > > Check this post for more info:
> > > >
> > > > http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
> > > >
> > > >
> > > > HTH,
> > > >
> > > > Brian McGahan, CCIE #8593
> > > > bmcgahan@internetworkexpert.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > > > Toll Free: 877-224-8987
> > > > Direct: 708-362-1418 (Outside the US and Canada)
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > > Of
> > > > > Kaiser Anwar
> > > > > Sent: Wednesday, January 07, 2004 8:43 AM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: Reflexive Access list
> > > > >
> > > > > HI,
> > > > > I was testing a reflexive access in the practice lab.It seems to be
> > > > > working.
> > > > > But I wanted to be sure.
> > > > > here is the config. this is the understating I have for this that
> any
> > > > > traffic
> > > > > that goes out with reflect keyword it has to exist in outside
> > > access-list
> > > > > state table.
> > > > > Thanks in advance for your help.
> > > > >
> > > > > ip access-list extended inside
> > > > > permit ip any any reflect outbound
> > > > >
> > > > >
> > > > > ip access-list extended outside
> > > > > evaluate outbound
> > > > > permit ospf any any reflect inbound
> > > > > permit udp any any reflect inbound
> > > > > permit tcp any any reflect inbound
> > > > >
> > > > >
> > > > > Kaiser Anwar
> > > > >
> > > > >
> > > _______________________________________________________________________
> > > > > Please help support GroupStudy by purchasing your study materials
> > > from:
> > > > > http://shop.groupstudy.com
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> _______________________________________________________________________
> > > > Please help support GroupStudy by purchasing your study materials
> from:
> > > > http://shop.groupstudy.com
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Dina Kamal: "RE: Reflexive Access list"
• Previous message: Kaiser Anwar: "Re: Reflexive Access list"
• Maybe in reply to: Kaiser Anwar: "Reflexive Access list"
• Next in thread: Dina Kamal: "RE: Reflexive Access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:37 GMT-3