From: Dina Kamal (dina@synergyct.com)
Date: Thu Jan 08 2004 - 17:22:53 GMT-3
Hi,
I am not sure I got your point but I assume there is a misunderstanding
here...Reflexive access list tries somehow to simulate firewall
functionality ..you see, "inbound" to your network is out of your
Ethernet where you would need the evaluate keyword and "outbound" from
your network is the inward direction of your ether where you would need
the reflect keyword so that's why I suppose it works when you reverse it
-----Original Message-----
From: Kaiser Anwar [mailto:kaiseranwar@sbcglobal.net]
Sent: Thursday, January 08, 2004 6:44 PM
To: Dina Kamal; 'Brian McGahan'; ccielab@groupstudy.com
Subject: Re: Reflexive Access list
HI,
I am back again with the same question.
I am trying to apply this on ethernet interface which is running
rip.and
this is what I want allow inbound to network this would be inside
access-list with Evaluate
command and outside access-list will have the reflect statement. Now
this
is I think I should have. I am allowing udp to go out with the reflect
statement.
but does not work. But if I do it the other way around It works. which
is
the wrong way.
ip access-list extended inside
evaluate inbound
ip access-list extended outside
permit tcp any any reflect inbound
permit udp any any reflect inbound
permit icmp any any echo
interface Ethernet0
ip access-group inside in
ip access-group outside out
permit icmp any any echo-reply
Thanks everyone for your help.
Kaiser A
From: "Dina Kamal" <dina@synergyct.com>
To: "'Brian McGahan'" <bmcgahan@internetworkexpert.com>;
<ccielab@groupstudy.com>
Sent: Thursday, January 08, 2004 1:02 AM
Subject: RE: Reflexive Access list
> Hi,
> As much as I know, how you apply the reflexive ACL depends on the
> interface whether it is the internal or external interface.
> In this case, I guess it is on the external interface so the "reflect"
> should be on the outbound direction and the "evaluate" on the inbound
> direction and vice versa if you configure the reflexive ACL on the
> internal interface
>
> ----- Original Message -----
> From: "Kaiser Anwar" <kaiseranwar@sbcglobal.net>
> To: "Brian McGahan" <bmcgahan@internetworkexpert.com>;
> <ccielab@groupstudy.com>
> Sent: Thursday, January 08, 2004 7:30 AM
> Subject: Re: Reflexive Access list
>
>
> > This is how I have appl!
> > interface Serial0
> > ip address 165.10.100.1 255.255.255.240
> > ip access-group inside in
> > ip access-group outside out
> > ip pim nbma-mode
> > ip pim sparse-mode
> >
> >
> > ----- Original Message -----
> > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
> <ccielab@groupstudy.com>
> > Sent: Wednesday, January 07, 2004 5:09 PM
> > Subject: RE: Reflexive Access list
> >
> >
> > > No it doesn't look like you have it configured correctly. How do
> > > you have these lists applied? If the access-list "inside" is
> applied
> > > outbound on the outside interface, the "permit ospf any any
reflect
> > > outbound" will not accomplish anything. Locally generated traffic
> does
> > not
> > > hit an outbound access-list.
> > >
> > > From what I assume you're trying to accomplish, your lists should
> > > read as follows:
> > >
> > > interface OUTSIDE
> > > ip access-group inside out
> > > ip access-group outside in
> > >
> > > ip access-list extended inside
> > > permit tcp any any reflect outbound
> > > permit udp any any reflect outbound
> > > permit icmp any any echo
> > > permit icmp any any echo-reply
> > > !
> > > ip access-list extended outside
> > > permit ospf any any
> > > permit icmp any any echo
> > > permit icmp any any echo-reply
> > > evaluate outbound
> > >
> > >
> > > HTH,
> > >
> > > Brian McGahan, CCIE #8593
> > > bmcgahan@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987
> > > Direct: 708-362-1418 (Outside the US and Canada)
> > >
> > >
> > > > -----Original Message-----
> > > > From: Kaiser Anwar [mailto:kaiseranwar@sbcglobal.net]
> > > > Sent: Wednesday, January 07, 2004 5:02 PM
> > > > To: Brian McGahan; ccielab@groupstudy.com
> > > > Subject: Re: Reflexive Access list
> > > >
> > > > HI Brian,
> > > > I did read the thread I am still little confused. I
> did
> > > > configured it again.seems to be working But I wanted you to see
if
> it is
> > > > correctly configured.
> > > >
> > > > Thanks
> > > >
> > > > ip access-list extended inside
> > > > evaluate outbound
> > > > permit tcp any any reflect outbound
> > > > permit udp any any reflect outbound
> > > > permit ospf any any reflect outbound
> > > > permit icmp any any echo
> > > > permit icmp any any echo-reply
> > > >
> > > > ip access-list extended outside
> > > > evaluate outbound
> > > > permit ospf any any reflect inbound
> > > > permit tcp any any reflect inbound
> > > > permit udp any any reflect inbound
> > > > permit icmp any any echo
> > > > permit icmp any any echo-reply
> > > >
> > > > R1#sh ip access-lists inbound
> > > > Reflexive IP access list inbound
> > > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3
eq
> > > > pim-auto-rp (2 matches) (time left 75)
> > > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3
eq
> > > > pim-auto-rp (14 matches) (time left 281)
> > > > R1#sh ip access-lists outbound
> > > > Reflexive IP access list outbound
> > > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3
eq
> > > > pim-auto-rp (7 matches) (time left 243)
> > > > permit udp host 224.0.0.9 eq rip host 165.10.100.3 eq rip
(55
> > matches)
> > > > (time left 280)
> > > > permit ospf host 165.10.100.1 eq host 165.10.100.3 (13
> matches)
> > > > (time
> > > > left 277)
> > > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3
eq
> > > > pim-auto-rp (27 matches) (time left 270))
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
> > <ccielab@groupstudy.com>
> > > > Sent: Wednesday, January 07, 2004 11:26 AM
> > > > Subject: RE: Reflexive Access list
> > > >
> > > >
> > > > > Kaiser,
> > > > >
> > > > > Normally you don't want to reflect when the traffic comes back
> in.
> > > > > Check this post for more info:
> > > > >
> > > > >
http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
> > > > >
> > > > >
> > > > > HTH,
> > > > >
> > > > > Brian McGahan, CCIE #8593
> > > > > bmcgahan@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987
> > > > > Direct: 708-362-1418 (Outside the US and Canada)
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
On
> Behalf
> > > > Of
> > > > > > Kaiser Anwar
> > > > > > Sent: Wednesday, January 07, 2004 8:43 AM
> > > > > > To: ccielab@groupstudy.com
> > > > > > Subject: Reflexive Access list
> > > > > >
> > > > > > HI,
> > > > > > I was testing a reflexive access in the practice lab.It
seems
> to be
> > > > > > working.
> > > > > > But I wanted to be sure.
> > > > > > here is the config. this is the understating I have for
this
> that
> > any
> > > > > > traffic
> > > > > > that goes out with reflect keyword it has to exist in
outside
> > > > access-list
> > > > > > state table.
> > > > > > Thanks in advance for your help.
> > > > > >
> > > > > > ip access-list extended inside
> > > > > > permit ip any any reflect outbound
> > > > > >
> > > > > >
> > > > > > ip access-list extended outside
> > > > > > evaluate outbound
> > > > > > permit ospf any any reflect inbound
> > > > > > permit udp any any reflect inbound
> > > > > > permit tcp any any reflect inbound
> > > > > >
> > > > > >
> > > > > > Kaiser Anwar
> > > > > >
> > > > > >
> > > >
>
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:38 GMT-3