Re: Reflexive Access list

From: Kaiser Anwar (kaiseranwar@sbcglobal.net)
Date: Thu Jan 08 2004 - 14:03:16 GMT-3

• Next message: paul: "[RE]Re: hsrp and stp (how to avoid second outage)"
• Previous message: Brian McGahan: "RE: Reflexive Access list"
• Maybe in reply to: Kaiser Anwar: "Reflexive Access list"
• Next in thread: Dina Kamal: "RE: Reflexive Access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks I will try this

----- Original Message -----
From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
To: "'wangstone373'" <wangstone373@hotmail.com>; "'Kaiser Anwar'"
<kaiseranwar@sbcglobal.net>; <ccielab@groupstudy.com>
Sent: Thursday, January 08, 2004 10:55 AM
Subject: RE: Reflexive Access list

> The reflexive list will check the traffic in whichever direction you
> reflect it. Typically this is outbound on the outside interface, but can
be
> inbound on the inside or dmz interface in certain cases.
>
> Suppose the setup is as follows:
>
> Inside_trusted_network-----E0--R1--S0-----Outside_untrusted_network
>
> Traffic is only allowed to come in from the outside untrusted
> network if it was originated from the inside. Therefore as traffic is
going
> out of the outside interface (S0), it is reflected. As traffic is coming
> back in the outside interface, it is evaluated against the reflexive list.
>
> interface Serial0
> ip access-group inside out <-- traffic from the inside network going out
> ip access-group outside in <-- traffic from the outside network coming
in
>
> ip access-list extended inside
> permit tcp any any reflect outbound <-- check the traffic as it goes
out
> permit udp any any reflect outbound <-- check the traffic as it goes
out
> permit icmp any any echo
> permit icmp any any echo-reply
> !
> ip access-list extended outside
> permit ospf any any
> permit icmp any any echo
> permit icmp any any echo-reply
> evaluate outbound <-- evaluate the reflexive list, if it came from the
> inside and went out, allow in to come from the outside back in
>
>
> Set it up and you'll see. If you're still having trouble I'll post
> the code output. Remember that locally originated traffic is not
reflected,
> so any routing protocol or any other locally originated (telnet, ping,
> trace, etc) traffic must be manually allowed back in.
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 708-362-1418 (Outside the US and Canada)
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > wangstone373
> > Sent: Thursday, January 08, 2004 12:15 AM
> > To: Kaiser Anwar; Brian McGahan; ccielab@groupstudy.com
> > Subject: Re: Reflexive Access list
> >
> > HI
> > I think the outside and inside is wrong of Brian.,
> > Reflective ACL will check outbound traffic and will open a tunnel from
> > outside. So "evaluate " will loacted in dirction and "reflect" will
appply
> > out direction.
> > ----- Original Message -----
> > From: "Kaiser Anwar" <kaiseranwar@sbcglobal.net>
> > To: "Brian McGahan" <bmcgahan@internetworkexpert.com>;
> > <ccielab@groupstudy.com>
> > Sent: Thursday, January 08, 2004 7:30 AM
> > Subject: Re: Reflexive Access list
> >
> >
> > > This is how I have appl!
> > > interface Serial0
> > > ip address 165.10.100.1 255.255.255.240
> > > ip access-group inside in
> > > ip access-group outside out
> > > ip pim nbma-mode
> > > ip pim sparse-mode
> > >
> > >
> > > ----- Original Message -----
> > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
> > <ccielab@groupstudy.com>
> > > Sent: Wednesday, January 07, 2004 5:09 PM
> > > Subject: RE: Reflexive Access list
> > >
> > >
> > > > No it doesn't look like you have it configured correctly. How do
> > > > you have these lists applied? If the access-list "inside" is
applied
> > > > outbound on the outside interface, the "permit ospf any any reflect
> > > > outbound" will not accomplish anything. Locally generated traffic
> > does
> > > not
> > > > hit an outbound access-list.
> > > >
> > > > From what I assume you're trying to accomplish, your lists should
> > > > read as follows:
> > > >
> > > > interface OUTSIDE
> > > > ip access-group inside out
> > > > ip access-group outside in
> > > >
> > > > ip access-list extended inside
> > > > permit tcp any any reflect outbound
> > > > permit udp any any reflect outbound
> > > > permit icmp any any echo
> > > > permit icmp any any echo-reply
> > > > !
> > > > ip access-list extended outside
> > > > permit ospf any any
> > > > permit icmp any any echo
> > > > permit icmp any any echo-reply
> > > > evaluate outbound
> > > >
> > > >
> > > > HTH,
> > > >
> > > > Brian McGahan, CCIE #8593
> > > > bmcgahan@internetworkexpert.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > > > Toll Free: 877-224-8987
> > > > Direct: 708-362-1418 (Outside the US and Canada)
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Kaiser Anwar [mailto:kaiseranwar@sbcglobal.net]
> > > > > Sent: Wednesday, January 07, 2004 5:02 PM
> > > > > To: Brian McGahan; ccielab@groupstudy.com
> > > > > Subject: Re: Reflexive Access list
> > > > >
> > > > > HI Brian,
> > > > > I did read the thread I am still little confused. I
did
> > > > > configured it again.seems to be working But I wanted you to see if
> > it is
> > > > > correctly configured.
> > > > >
> > > > > Thanks
> > > > >
> > > > > ip access-list extended inside
> > > > > evaluate outbound
> > > > > permit tcp any any reflect outbound
> > > > > permit udp any any reflect outbound
> > > > > permit ospf any any reflect outbound
> > > > > permit icmp any any echo
> > > > > permit icmp any any echo-reply
> > > > >
> > > > > ip access-list extended outside
> > > > > evaluate outbound
> > > > > permit ospf any any reflect inbound
> > > > > permit tcp any any reflect inbound
> > > > > permit udp any any reflect inbound
> > > > > permit icmp any any echo
> > > > > permit icmp any any echo-reply
> > > > >
> > > > > R1#sh ip access-lists inbound
> > > > > Reflexive IP access list inbound
> > > > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> > > > > pim-auto-rp (2 matches) (time left 75)
> > > > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> > > > > pim-auto-rp (14 matches) (time left 281)
> > > > > R1#sh ip access-lists outbound
> > > > > Reflexive IP access list outbound
> > > > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3 eq
> > > > > pim-auto-rp (7 matches) (time left 243)
> > > > > permit udp host 224.0.0.9 eq rip host 165.10.100.3 eq rip (55
> > > matches)
> > > > > (time left 280)
> > > > > permit ospf host 165.10.100.1 eq host 165.10.100.3 (13
> > matches)
> > > > > (time
> > > > > left 277)
> > > > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3 eq
> > > > > pim-auto-rp (27 matches) (time left 270))
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
> > > <ccielab@groupstudy.com>
> > > > > Sent: Wednesday, January 07, 2004 11:26 AM
> > > > > Subject: RE: Reflexive Access list
> > > > >
> > > > >
> > > > > > Kaiser,
> > > > > >
> > > > > > Normally you don't want to reflect when the traffic comes back
in.
> > > > > > Check this post for more info:
> > > > > >
> > > > > > http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
> > > > > >
> > > > > >
> > > > > > HTH,
> > > > > >
> > > > > > Brian McGahan, CCIE #8593
> > > > > > bmcgahan@internetworkexpert.com
> > > > > >
> > > > > > Internetwork Expert, Inc.
> > > > > > http://www.InternetworkExpert.com
> > > > > > Toll Free: 877-224-8987
> > > > > > Direct: 708-362-1418 (Outside the US and Canada)
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf
> > > > > Of
> > > > > > > Kaiser Anwar
> > > > > > > Sent: Wednesday, January 07, 2004 8:43 AM
> > > > > > > To: ccielab@groupstudy.com
> > > > > > > Subject: Reflexive Access list
> > > > > > >
> > > > > > > HI,
> > > > > > > I was testing a reflexive access in the practice lab.It seems
> > to be
> > > > > > > working.
> > > > > > > But I wanted to be sure.
> > > > > > > here is the config. this is the understating I have for this
> > that
> > > any
> > > > > > > traffic
> > > > > > > that goes out with reflect keyword it has to exist in outside
> > > > > access-list
> > > > > > > state table.
> > > > > > > Thanks in advance for your help.
> > > > > > >
> > > > > > > ip access-list extended inside
> > > > > > > permit ip any any reflect outbound
> > > > > > >
> > > > > > >
> > > > > > > ip access-list extended outside
> > > > > > > evaluate outbound
> > > > > > > permit ospf any any reflect inbound
> > > > > > > permit udp any any reflect inbound
> > > > > > > permit tcp any any reflect inbound
> > > > > > >
> > > > > > >
> > > > > > > Kaiser Anwar
> > > > > > >
> > > > > > >
> > > > >
> > _______________________________________________________________________
> > > > > > > Please help support GroupStudy by purchasing your study
> > materials
> > > > > from:
> > > > > > > http://shop.groupstudy.com
> > > > > > >
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > >
> > > > > >
> > >

• Next message: paul: "[RE]Re: hsrp and stp (how to avoid second outage)"
• Previous message: Brian McGahan: "RE: Reflexive Access list"
• Maybe in reply to: Kaiser Anwar: "Reflexive Access list"
• Next in thread: Dina Kamal: "RE: Reflexive Access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:38 GMT-3