From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Thu Jan 08 2004 - 13:55:19 GMT-3
The reflexive list will check the traffic in whichever direction you
reflect it. Typically this is outbound on the outside interface, but can be
inbound on the inside or dmz interface in certain cases.
Suppose the setup is as follows:
Inside_trusted_network-----E0--R1--S0-----Outside_untrusted_network
Traffic is only allowed to come in from the outside untrusted
network if it was originated from the inside. Therefore as traffic is going
out of the outside interface (S0), it is reflected. As traffic is coming
back in the outside interface, it is evaluated against the reflexive list.
interface Serial0
ip access-group inside out <-- traffic from the inside network going out
ip access-group outside in <-- traffic from the outside network coming in
ip access-list extended inside
permit tcp any any reflect outbound <-- check the traffic as it goes out
permit udp any any reflect outbound <-- check the traffic as it goes out
permit icmp any any echo
permit icmp any any echo-reply
!
ip access-list extended outside
permit ospf any any
permit icmp any any echo
permit icmp any any echo-reply
evaluate outbound <-- evaluate the reflexive list, if it came from the
inside and went out, allow in to come from the outside back in
Set it up and you'll see. If you're still having trouble I'll post
the code output. Remember that locally originated traffic is not reflected,
so any routing protocol or any other locally originated (telnet, ping,
trace, etc) traffic must be manually allowed back in.
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> wangstone373
> Sent: Thursday, January 08, 2004 12:15 AM
> To: Kaiser Anwar; Brian McGahan; ccielab@groupstudy.com
> Subject: Re: Reflexive Access list
>
> HI
> I think the outside and inside is wrong of Brian.,
> Reflective ACL will check outbound traffic and will open a tunnel from
> outside. So "evaluate " will loacted in dirction and "reflect" will appply
> out direction.
> ----- Original Message -----
> From: "Kaiser Anwar" <kaiseranwar@sbcglobal.net>
> To: "Brian McGahan" <bmcgahan@internetworkexpert.com>;
> <ccielab@groupstudy.com>
> Sent: Thursday, January 08, 2004 7:30 AM
> Subject: Re: Reflexive Access list
>
>
> > This is how I have appl!
> > interface Serial0
> > ip address 165.10.100.1 255.255.255.240
> > ip access-group inside in
> > ip access-group outside out
> > ip pim nbma-mode
> > ip pim sparse-mode
> >
> >
> > ----- Original Message -----
> > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
> <ccielab@groupstudy.com>
> > Sent: Wednesday, January 07, 2004 5:09 PM
> > Subject: RE: Reflexive Access list
> >
> >
> > > No it doesn't look like you have it configured correctly. How do
> > > you have these lists applied? If the access-list "inside" is applied
> > > outbound on the outside interface, the "permit ospf any any reflect
> > > outbound" will not accomplish anything. Locally generated traffic
> does
> > not
> > > hit an outbound access-list.
> > >
> > > From what I assume you're trying to accomplish, your lists should
> > > read as follows:
> > >
> > > interface OUTSIDE
> > > ip access-group inside out
> > > ip access-group outside in
> > >
> > > ip access-list extended inside
> > > permit tcp any any reflect outbound
> > > permit udp any any reflect outbound
> > > permit icmp any any echo
> > > permit icmp any any echo-reply
> > > !
> > > ip access-list extended outside
> > > permit ospf any any
> > > permit icmp any any echo
> > > permit icmp any any echo-reply
> > > evaluate outbound
> > >
> > >
> > > HTH,
> > >
> > > Brian McGahan, CCIE #8593
> > > bmcgahan@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Direct: 708-362-1418 (Outside the US and Canada)
> > >
> > >
> > > > -----Original Message-----
> > > > From: Kaiser Anwar [mailto:kaiseranwar@sbcglobal.net]
> > > > Sent: Wednesday, January 07, 2004 5:02 PM
> > > > To: Brian McGahan; ccielab@groupstudy.com
> > > > Subject: Re: Reflexive Access list
> > > >
> > > > HI Brian,
> > > > I did read the thread I am still little confused. I did
> > > > configured it again.seems to be working But I wanted you to see if
> it is
> > > > correctly configured.
> > > >
> > > > Thanks
> > > >
> > > > ip access-list extended inside
> > > > evaluate outbound
> > > > permit tcp any any reflect outbound
> > > > permit udp any any reflect outbound
> > > > permit ospf any any reflect outbound
> > > > permit icmp any any echo
> > > > permit icmp any any echo-reply
> > > >
> > > > ip access-list extended outside
> > > > evaluate outbound
> > > > permit ospf any any reflect inbound
> > > > permit tcp any any reflect inbound
> > > > permit udp any any reflect inbound
> > > > permit icmp any any echo
> > > > permit icmp any any echo-reply
> > > >
> > > > R1#sh ip access-lists inbound
> > > > Reflexive IP access list inbound
> > > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> > > > pim-auto-rp (2 matches) (time left 75)
> > > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> > > > pim-auto-rp (14 matches) (time left 281)
> > > > R1#sh ip access-lists outbound
> > > > Reflexive IP access list outbound
> > > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> > > > pim-auto-rp (7 matches) (time left 243)
> > > > permit udp host 224.0.0.9 eq rip host 165.10.100.3 eq rip (55
> > matches)
> > > > (time left 280)
> > > > permit ospf host 165.10.100.1 eq host 165.10.100.3 (13
> matches)
> > > > (time
> > > > left 277)
> > > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> > > > pim-auto-rp (27 matches) (time left 270))
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
> > <ccielab@groupstudy.com>
> > > > Sent: Wednesday, January 07, 2004 11:26 AM
> > > > Subject: RE: Reflexive Access list
> > > >
> > > >
> > > > > Kaiser,
> > > > >
> > > > > Normally you don't want to reflect when the traffic comes back in.
> > > > > Check this post for more info:
> > > > >
> > > > > http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
> > > > >
> > > > >
> > > > > HTH,
> > > > >
> > > > > Brian McGahan, CCIE #8593
> > > > > bmcgahan@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987
> > > > > Direct: 708-362-1418 (Outside the US and Canada)
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > > > Of
> > > > > > Kaiser Anwar
> > > > > > Sent: Wednesday, January 07, 2004 8:43 AM
> > > > > > To: ccielab@groupstudy.com
> > > > > > Subject: Reflexive Access list
> > > > > >
> > > > > > HI,
> > > > > > I was testing a reflexive access in the practice lab.It seems
> to be
> > > > > > working.
> > > > > > But I wanted to be sure.
> > > > > > here is the config. this is the understating I have for this
> that
> > any
> > > > > > traffic
> > > > > > that goes out with reflect keyword it has to exist in outside
> > > > access-list
> > > > > > state table.
> > > > > > Thanks in advance for your help.
> > > > > >
> > > > > > ip access-list extended inside
> > > > > > permit ip any any reflect outbound
> > > > > >
> > > > > >
> > > > > > ip access-list extended outside
> > > > > > evaluate outbound
> > > > > > permit ospf any any reflect inbound
> > > > > > permit udp any any reflect inbound
> > > > > > permit tcp any any reflect inbound
> > > > > >
> > > > > >
> > > > > > Kaiser Anwar
> > > > > >
> > > > > >
> > > >
> _______________________________________________________________________
> > > > > > Please help support GroupStudy by purchasing your study
> materials
> > > > from:
> > > > > > http://shop.groupstudy.com
> > > > > >
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > _______________________________________________________________________
> > > > > Please help support GroupStudy by purchasing your study materials
> > from:
> > > > > http://shop.groupstudy.com
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials
> from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:38 GMT-3