Re: Reflexive Access list

From: Kaiser Anwar (kaiseranwar@sbcglobal.net)
Date: Thu Jan 08 2004 - 11:43:52 GMT-3

• Next message: Bob Sinclair: "Re: BGP issue - ospf, rr and no-synchronization"
• Previous message: Jonathan Hays: "RE: IRDP preference!"
• Maybe in reply to: Kaiser Anwar: "Reflexive Access list"
• Next in thread: Brian McGahan: "RE: Reflexive Access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

HI,
   I am back again with the same question.
   I am trying to apply this on ethernet interface which is running rip.and
this is what I want allow inbound to network this would be inside
access-list with Evaluate
  command and outside access-list will have the reflect statement. Now this
is I think I should have. I am allowing udp to go out with the reflect
statement.
  but does not work. But if I do it the other way around It works. which is
the wrong way.

ip access-list extended inside
 evaluate inbound

ip access-list extended outside
 permit tcp any any reflect inbound
 permit udp any any reflect inbound
 permit icmp any any echo

 interface Ethernet0
 ip access-group inside in
 ip access-group outside out
 permit icmp any any echo-reply

Thanks everyone for your help.

Kaiser A

From: "Dina Kamal" <dina@synergyct.com>
To: "'Brian McGahan'" <bmcgahan@internetworkexpert.com>;
<ccielab@groupstudy.com>
Sent: Thursday, January 08, 2004 1:02 AM
Subject: RE: Reflexive Access list

> Hi,
> As much as I know, how you apply the reflexive ACL depends on the
> interface whether it is the internal or external interface.
> In this case, I guess it is on the external interface so the "reflect"
> should be on the outbound direction and the "evaluate" on the inbound
> direction and vice versa if you configure the reflexive ACL on the
> internal interface
>
> ----- Original Message -----
> From: "Kaiser Anwar" <kaiseranwar@sbcglobal.net>
> To: "Brian McGahan" <bmcgahan@internetworkexpert.com>;
> <ccielab@groupstudy.com>
> Sent: Thursday, January 08, 2004 7:30 AM
> Subject: Re: Reflexive Access list
>
>
> > This is how I have appl!
> > interface Serial0
> > ip address 165.10.100.1 255.255.255.240
> > ip access-group inside in
> > ip access-group outside out
> > ip pim nbma-mode
> > ip pim sparse-mode
> >
> >
> > ----- Original Message -----
> > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
> <ccielab@groupstudy.com>
> > Sent: Wednesday, January 07, 2004 5:09 PM
> > Subject: RE: Reflexive Access list
> >
> >
> > > No it doesn't look like you have it configured correctly. How do
> > > you have these lists applied? If the access-list "inside" is
> applied
> > > outbound on the outside interface, the "permit ospf any any reflect
> > > outbound" will not accomplish anything. Locally generated traffic
> does
> > not
> > > hit an outbound access-list.
> > >
> > > From what I assume you're trying to accomplish, your lists should
> > > read as follows:
> > >
> > > interface OUTSIDE
> > > ip access-group inside out
> > > ip access-group outside in
> > >
> > > ip access-list extended inside
> > > permit tcp any any reflect outbound
> > > permit udp any any reflect outbound
> > > permit icmp any any echo
> > > permit icmp any any echo-reply
> > > !
> > > ip access-list extended outside
> > > permit ospf any any
> > > permit icmp any any echo
> > > permit icmp any any echo-reply
> > > evaluate outbound
> > >
> > >
> > > HTH,
> > >
> > > Brian McGahan, CCIE #8593
> > > bmcgahan@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Direct: 708-362-1418 (Outside the US and Canada)
> > >
> > >
> > > > -----Original Message-----
> > > > From: Kaiser Anwar [mailto:kaiseranwar@sbcglobal.net]
> > > > Sent: Wednesday, January 07, 2004 5:02 PM
> > > > To: Brian McGahan; ccielab@groupstudy.com
> > > > Subject: Re: Reflexive Access list
> > > >
> > > > HI Brian,
> > > > I did read the thread I am still little confused. I
> did
> > > > configured it again.seems to be working But I wanted you to see if
> it is
> > > > correctly configured.
> > > >
> > > > Thanks
> > > >
> > > > ip access-list extended inside
> > > > evaluate outbound
> > > > permit tcp any any reflect outbound
> > > > permit udp any any reflect outbound
> > > > permit ospf any any reflect outbound
> > > > permit icmp any any echo
> > > > permit icmp any any echo-reply
> > > >
> > > > ip access-list extended outside
> > > > evaluate outbound
> > > > permit ospf any any reflect inbound
> > > > permit tcp any any reflect inbound
> > > > permit udp any any reflect inbound
> > > > permit icmp any any echo
> > > > permit icmp any any echo-reply
> > > >
> > > > R1#sh ip access-lists inbound
> > > > Reflexive IP access list inbound
> > > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> > > > pim-auto-rp (2 matches) (time left 75)
> > > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> > > > pim-auto-rp (14 matches) (time left 281)
> > > > R1#sh ip access-lists outbound
> > > > Reflexive IP access list outbound
> > > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> > > > pim-auto-rp (7 matches) (time left 243)
> > > > permit udp host 224.0.0.9 eq rip host 165.10.100.3 eq rip (55
> > matches)
> > > > (time left 280)
> > > > permit ospf host 165.10.100.1 eq host 165.10.100.3 (13
> matches)
> > > > (time
> > > > left 277)
> > > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> > > > pim-auto-rp (27 matches) (time left 270))
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
> > <ccielab@groupstudy.com>
> > > > Sent: Wednesday, January 07, 2004 11:26 AM
> > > > Subject: RE: Reflexive Access list
> > > >
> > > >
> > > > > Kaiser,
> > > > >
> > > > > Normally you don't want to reflect when the traffic comes back
> in.
> > > > > Check this post for more info:
> > > > >
> > > > > http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
> > > > >
> > > > >
> > > > > HTH,
> > > > >
> > > > > Brian McGahan, CCIE #8593
> > > > > bmcgahan@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987
> > > > > Direct: 708-362-1418 (Outside the US and Canada)
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > > > Of
> > > > > > Kaiser Anwar
> > > > > > Sent: Wednesday, January 07, 2004 8:43 AM
> > > > > > To: ccielab@groupstudy.com
> > > > > > Subject: Reflexive Access list
> > > > > >
> > > > > > HI,
> > > > > > I was testing a reflexive access in the practice lab.It seems
> to be
> > > > > > working.
> > > > > > But I wanted to be sure.
> > > > > > here is the config. this is the understating I have for this
> that
> > any
> > > > > > traffic
> > > > > > that goes out with reflect keyword it has to exist in outside
> > > > access-list
> > > > > > state table.
> > > > > > Thanks in advance for your help.
> > > > > >
> > > > > > ip access-list extended inside
> > > > > > permit ip any any reflect outbound
> > > > > >
> > > > > >
> > > > > > ip access-list extended outside
> > > > > > evaluate outbound
> > > > > > permit ospf any any reflect inbound
> > > > > > permit udp any any reflect inbound
> > > > > > permit tcp any any reflect inbound
> > > > > >
> > > > > >
> > > > > > Kaiser Anwar
> > > > > >
> > > > > >
> > > >
> _______________________________________________________________________
> > > > > > Please help support GroupStudy by purchasing your study
> materials
> > > > from:
> > > > > > http://shop.groupstudy.com
> > > > > >
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> >
> _______________________________________________________________________
> > > > > Please help support GroupStudy by purchasing your study
> materials
> > from:
> > > > > http://shop.groupstudy.com
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials
> from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Bob Sinclair: "Re: BGP issue - ospf, rr and no-synchronization"
• Previous message: Jonathan Hays: "RE: IRDP preference!"
• Maybe in reply to: Kaiser Anwar: "Reflexive Access list"
• Next in thread: Brian McGahan: "RE: Reflexive Access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:38 GMT-3