From: Dina Kamal (dina@synergyct.com)
Date: Thu Jan 08 2004 - 04:02:45 GMT-3
Hi,
As much as I know, how you apply the reflexive ACL depends on the
interface whether it is the internal or external interface.
In this case, I guess it is on the external interface so the "reflect"
should be on the outbound direction and the "evaluate" on the inbound
direction and vice versa if you configure the reflexive ACL on the
internal interface
----- Original Message -----
From: "Kaiser Anwar" <kaiseranwar@sbcglobal.net>
To: "Brian McGahan" <bmcgahan@internetworkexpert.com>;
<ccielab@groupstudy.com>
Sent: Thursday, January 08, 2004 7:30 AM
Subject: Re: Reflexive Access list
> This is how I have appl!
> interface Serial0
> ip address 165.10.100.1 255.255.255.240
> ip access-group inside in
> ip access-group outside out
> ip pim nbma-mode
> ip pim sparse-mode
>
>
> ----- Original Message -----
> From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
<ccielab@groupstudy.com>
> Sent: Wednesday, January 07, 2004 5:09 PM
> Subject: RE: Reflexive Access list
>
>
> > No it doesn't look like you have it configured correctly. How do
> > you have these lists applied? If the access-list "inside" is
applied
> > outbound on the outside interface, the "permit ospf any any reflect
> > outbound" will not accomplish anything. Locally generated traffic
does
> not
> > hit an outbound access-list.
> >
> > From what I assume you're trying to accomplish, your lists should
> > read as follows:
> >
> > interface OUTSIDE
> > ip access-group inside out
> > ip access-group outside in
> >
> > ip access-list extended inside
> > permit tcp any any reflect outbound
> > permit udp any any reflect outbound
> > permit icmp any any echo
> > permit icmp any any echo-reply
> > !
> > ip access-list extended outside
> > permit ospf any any
> > permit icmp any any echo
> > permit icmp any any echo-reply
> > evaluate outbound
> >
> >
> > HTH,
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 708-362-1418 (Outside the US and Canada)
> >
> >
> > > -----Original Message-----
> > > From: Kaiser Anwar [mailto:kaiseranwar@sbcglobal.net]
> > > Sent: Wednesday, January 07, 2004 5:02 PM
> > > To: Brian McGahan; ccielab@groupstudy.com
> > > Subject: Re: Reflexive Access list
> > >
> > > HI Brian,
> > > I did read the thread I am still little confused. I
did
> > > configured it again.seems to be working But I wanted you to see if
it is
> > > correctly configured.
> > >
> > > Thanks
> > >
> > > ip access-list extended inside
> > > evaluate outbound
> > > permit tcp any any reflect outbound
> > > permit udp any any reflect outbound
> > > permit ospf any any reflect outbound
> > > permit icmp any any echo
> > > permit icmp any any echo-reply
> > >
> > > ip access-list extended outside
> > > evaluate outbound
> > > permit ospf any any reflect inbound
> > > permit tcp any any reflect inbound
> > > permit udp any any reflect inbound
> > > permit icmp any any echo
> > > permit icmp any any echo-reply
> > >
> > > R1#sh ip access-lists inbound
> > > Reflexive IP access list inbound
> > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> > > pim-auto-rp (2 matches) (time left 75)
> > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> > > pim-auto-rp (14 matches) (time left 281)
> > > R1#sh ip access-lists outbound
> > > Reflexive IP access list outbound
> > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> > > pim-auto-rp (7 matches) (time left 243)
> > > permit udp host 224.0.0.9 eq rip host 165.10.100.3 eq rip (55
> matches)
> > > (time left 280)
> > > permit ospf host 165.10.100.1 eq host 165.10.100.3 (13
matches)
> > > (time
> > > left 277)
> > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> > > pim-auto-rp (27 matches) (time left 270))
> > >
> > >
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
> <ccielab@groupstudy.com>
> > > Sent: Wednesday, January 07, 2004 11:26 AM
> > > Subject: RE: Reflexive Access list
> > >
> > >
> > > > Kaiser,
> > > >
> > > > Normally you don't want to reflect when the traffic comes back
in.
> > > > Check this post for more info:
> > > >
> > > > http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
> > > >
> > > >
> > > > HTH,
> > > >
> > > > Brian McGahan, CCIE #8593
> > > > bmcgahan@internetworkexpert.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > > > Toll Free: 877-224-8987
> > > > Direct: 708-362-1418 (Outside the US and Canada)
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > > Of
> > > > > Kaiser Anwar
> > > > > Sent: Wednesday, January 07, 2004 8:43 AM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: Reflexive Access list
> > > > >
> > > > > HI,
> > > > > I was testing a reflexive access in the practice lab.It seems
to be
> > > > > working.
> > > > > But I wanted to be sure.
> > > > > here is the config. this is the understating I have for this
that
> any
> > > > > traffic
> > > > > that goes out with reflect keyword it has to exist in outside
> > > access-list
> > > > > state table.
> > > > > Thanks in advance for your help.
> > > > >
> > > > > ip access-list extended inside
> > > > > permit ip any any reflect outbound
> > > > >
> > > > >
> > > > > ip access-list extended outside
> > > > > evaluate outbound
> > > > > permit ospf any any reflect inbound
> > > > > permit udp any any reflect inbound
> > > > > permit tcp any any reflect inbound
> > > > >
> > > > >
> > > > > Kaiser Anwar
> > > > >
> > > > >
> > >
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:38 GMT-3