From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Thu Jan 08 2004 - 17:54:54 GMT-3
Locally generated traffic does not hit an outbound access-list, therefore it
cannot be reflected. You must send traffic from behind the border router,
as in this scenario:
R1---12.0.0.0/8--E0/0-R2-S0/1--23.0.0.0/8---R3
R1#ping 23.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 29/31/32 ms
R1#
Rack1AS>3
[Resuming connection 3 to r3 ... ]
R3#ping 12.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/33 ms
R3#telnet 12.0.0.1
Trying 12.0.0.1 ...
% Destination unreachable; gateway or host down <-- R3 cannot initiate a
session to R1
R1#telnet 23.0.0.3
Trying 23.0.0.3 ... Open <-- R1 can initiate a session to R3
R3>
Rack1AS>2
[Resuming connection 2 to r2 ... ]
R2#show access-lists
Extended IP access list inside
10 permit tcp any any reflect outbound
20 permit udp any any reflect outbound
30 permit icmp any any echo (5 matches)
40 permit icmp any any echo-reply (5 matches)
Reflexive IP access list outbound
permit tcp host 23.0.0.3 eq telnet host 12.0.0.1 eq 11000 (17 matches)
(time left 295) <--- reflexive entry
Extended IP access list outside
10 permit ospf any any
20 permit icmp any any echo (5 matches)
30 permit icmp any any echo-reply (5 matches)
40 evaluate outbound
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Kaiser Anwar
> Sent: Thursday, January 08, 2004 2:37 PM
> To: Brian McGahan
> Cc: ccielab@groupstudy.com
> Subject: Re: Reflexive Access list
>
> Hi Brian,
> I have applied the access list exactly as you posted. I still
> don't see and temp openings. What can I do to genearte traffic to see if
> it
> is working.
> Thanks
>
> here is how I have applied.
> ip access-list extended inside
> permit tcp any any reflect outbound
> permit udp any any reflect outbound
> permit icmp any any echo
> permit icmp any any echo-reply
> ip access-list extended outside
> permit ospf any any
> permit icmp any any echo
>
> interface Serial0
> ip address 165.10.100.1 255.255.255.240
> ip access-group outside in
> ip access-group inside out
> ip pim nbma-mode
> permit icmp any any echo-reply
> evaluate outbound
>
>
>
> ----- Original Message -----
> From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> To: "'wangstone373'" <wangstone373@hotmail.com>; "'Kaiser Anwar'"
> <kaiseranwar@sbcglobal.net>; <ccielab@groupstudy.com>
> Sent: Thursday, January 08, 2004 10:55 AM
> Subject: RE: Reflexive Access list
>
>
> > The reflexive list will check the traffic in whichever direction you
> > reflect it. Typically this is outbound on the outside interface, but
> can
> be
> > inbound on the inside or dmz interface in certain cases.
> >
> > Suppose the setup is as follows:
> >
> > Inside_trusted_network-----E0--R1--S0-----Outside_untrusted_network
> >
> > Traffic is only allowed to come in from the outside untrusted
> > network if it was originated from the inside. Therefore as traffic is
> going
> > out of the outside interface (S0), it is reflected. As traffic is
> coming
> > back in the outside interface, it is evaluated against the reflexive
> list.
> >
> > interface Serial0
> > ip access-group inside out <-- traffic from the inside network going
> out
> > ip access-group outside in <-- traffic from the outside network coming
> in
> >
> > ip access-list extended inside
> > permit tcp any any reflect outbound <-- check the traffic as it goes
> out
> > permit udp any any reflect outbound <-- check the traffic as it goes
> out
> > permit icmp any any echo
> > permit icmp any any echo-reply
> > !
> > ip access-list extended outside
> > permit ospf any any
> > permit icmp any any echo
> > permit icmp any any echo-reply
> > evaluate outbound <-- evaluate the reflexive list, if it came from
> the
> > inside and went out, allow in to come from the outside back in
> >
> >
> > Set it up and you'll see. If you're still having trouble I'll post
> > the code output. Remember that locally originated traffic is not
> reflected,
> > so any routing protocol or any other locally originated (telnet, ping,
> > trace, etc) traffic must be manually allowed back in.
> >
> >
> > HTH,
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 708-362-1418 (Outside the US and Canada)
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > wangstone373
> > > Sent: Thursday, January 08, 2004 12:15 AM
> > > To: Kaiser Anwar; Brian McGahan; ccielab@groupstudy.com
> > > Subject: Re: Reflexive Access list
> > >
> > > HI
> > > I think the outside and inside is wrong of Brian.,
> > > Reflective ACL will check outbound traffic and will open a tunnel
> from
> > > outside. So "evaluate " will loacted in dirction and "reflect" will
> appply
> > > out direction.
> > > ----- Original Message -----
> > > From: "Kaiser Anwar" <kaiseranwar@sbcglobal.net>
> > > To: "Brian McGahan" <bmcgahan@internetworkexpert.com>;
> > > <ccielab@groupstudy.com>
> > > Sent: Thursday, January 08, 2004 7:30 AM
> > > Subject: Re: Reflexive Access list
> > >
> > >
> > > > This is how I have appl!
> > > > interface Serial0
> > > > ip address 165.10.100.1 255.255.255.240
> > > > ip access-group inside in
> > > > ip access-group outside out
> > > > ip pim nbma-mode
> > > > ip pim sparse-mode
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
> > > <ccielab@groupstudy.com>
> > > > Sent: Wednesday, January 07, 2004 5:09 PM
> > > > Subject: RE: Reflexive Access list
> > > >
> > > >
> > > > > No it doesn't look like you have it configured correctly. How do
> > > > > you have these lists applied? If the access-list "inside" is
> applied
> > > > > outbound on the outside interface, the "permit ospf any any
> reflect
> > > > > outbound" will not accomplish anything. Locally generated traffic
> > > does
> > > > not
> > > > > hit an outbound access-list.
> > > > >
> > > > > From what I assume you're trying to accomplish, your lists should
> > > > > read as follows:
> > > > >
> > > > > interface OUTSIDE
> > > > > ip access-group inside out
> > > > > ip access-group outside in
> > > > >
> > > > > ip access-list extended inside
> > > > > permit tcp any any reflect outbound
> > > > > permit udp any any reflect outbound
> > > > > permit icmp any any echo
> > > > > permit icmp any any echo-reply
> > > > > !
> > > > > ip access-list extended outside
> > > > > permit ospf any any
> > > > > permit icmp any any echo
> > > > > permit icmp any any echo-reply
> > > > > evaluate outbound
> > > > >
> > > > >
> > > > > HTH,
> > > > >
> > > > > Brian McGahan, CCIE #8593
> > > > > bmcgahan@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987
> > > > > Direct: 708-362-1418 (Outside the US and Canada)
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Kaiser Anwar [mailto:kaiseranwar@sbcglobal.net]
> > > > > > Sent: Wednesday, January 07, 2004 5:02 PM
> > > > > > To: Brian McGahan; ccielab@groupstudy.com
> > > > > > Subject: Re: Reflexive Access list
> > > > > >
> > > > > > HI Brian,
> > > > > > I did read the thread I am still little confused. I
> did
> > > > > > configured it again.seems to be working But I wanted you to see
> if
> > > it is
> > > > > > correctly configured.
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > > ip access-list extended inside
> > > > > > evaluate outbound
> > > > > > permit tcp any any reflect outbound
> > > > > > permit udp any any reflect outbound
> > > > > > permit ospf any any reflect outbound
> > > > > > permit icmp any any echo
> > > > > > permit icmp any any echo-reply
> > > > > >
> > > > > > ip access-list extended outside
> > > > > > evaluate outbound
> > > > > > permit ospf any any reflect inbound
> > > > > > permit tcp any any reflect inbound
> > > > > > permit udp any any reflect inbound
> > > > > > permit icmp any any echo
> > > > > > permit icmp any any echo-reply
> > > > > >
> > > > > > R1#sh ip access-lists inbound
> > > > > > Reflexive IP access list inbound
> > > > > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3
> eq
> > > > > > pim-auto-rp (2 matches) (time left 75)
> > > > > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3
> eq
> > > > > > pim-auto-rp (14 matches) (time left 281)
> > > > > > R1#sh ip access-lists outbound
> > > > > > Reflexive IP access list outbound
> > > > > > permit udp host 224.0.1.39 eq pim-auto-rp host 165.10.100.3
> eq
> > > > > > pim-auto-rp (7 matches) (time left 243)
> > > > > > permit udp host 224.0.0.9 eq rip host 165.10.100.3 eq rip
> (55
> > > > matches)
> > > > > > (time left 280)
> > > > > > permit ospf host 165.10.100.1 eq host 165.10.100.3 (13
> > > matches)
> > > > > > (time
> > > > > > left 277)
> > > > > > permit udp host 224.0.1.40 eq pim-auto-rp host 165.10.100.3
> eq
> > > > > > pim-auto-rp (27 matches) (time left 270))
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > > To: "'Kaiser Anwar'" <kaiseranwar@sbcglobal.net>;
> > > > <ccielab@groupstudy.com>
> > > > > > Sent: Wednesday, January 07, 2004 11:26 AM
> > > > > > Subject: RE: Reflexive Access list
> > > > > >
> > > > > >
> > > > > > > Kaiser,
> > > > > > >
> > > > > > > Normally you don't want to reflect when the traffic comes back
> in.
> > > > > > > Check this post for more info:
> > > > > > >
> > > > > > >
> http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
> > > > > > >
> > > > > > >
> > > > > > > HTH,
> > > > > > >
> > > > > > > Brian McGahan, CCIE #8593
> > > > > > > bmcgahan@internetworkexpert.com
> > > > > > >
> > > > > > > Internetwork Expert, Inc.
> > > > > > > http://www.InternetworkExpert.com
> > > > > > > Toll Free: 877-224-8987
> > > > > > > Direct: 708-362-1418 (Outside the US and Canada)
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On
> > > Behalf
> > > > > > Of
> > > > > > > > Kaiser Anwar
> > > > > > > > Sent: Wednesday, January 07, 2004 8:43 AM
> > > > > > > > To: ccielab@groupstudy.com
> > > > > > > > Subject: Reflexive Access list
> > > > > > > >
> > > > > > > > HI,
> > > > > > > > I was testing a reflexive access in the practice lab.It
> seems
> > > to be
> > > > > > > > working.
> > > > > > > > But I wanted to be sure.
> > > > > > > > here is the config. this is the understating I have for
> this
> > > that
> > > > any
> > > > > > > > traffic
> > > > > > > > that goes out with reflect keyword it has to exist in
> outside
> > > > > > access-list
> > > > > > > > state table.
> > > > > > > > Thanks in advance for your help.
> > > > > > > >
> > > > > > > > ip access-list extended inside
> > > > > > > > permit ip any any reflect outbound
> > > > > > > >
> > > > > > > >
> > > > > > > > ip access-list extended outside
> > > > > > > > evaluate outbound
> > > > > > > > permit ospf any any reflect inbound
> > > > > > > > permit udp any any reflect inbound
> > > > > > > > permit tcp any any reflect inbound
> > > > > > > >
> > > > > > > >
> > > > > > > > Kaiser Anwar
> > > > > > > >
> > > > > > > >
> > > > > >
> > >
> _______________________________________________________________________
> > > > > > > > Please help support GroupStudy by purchasing your study
> > > materials
> > > > > > from:
> > > > > > > > http://shop.groupstudy.com
> > > > > > > >
> > > > > > > > Subscription information may be found at:
> > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > >
> > > > > > >
> > > >
> _______________________________________________________________________
> > > > > > > Please help support GroupStudy by purchasing your study
> materials
> > > > from:
> > > > > > > http://shop.groupstudy.com
> > > > > > >
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > >
> _______________________________________________________________________
> > > > > Please help support GroupStudy by purchasing your study materials
> > > from:
> > > > > http://shop.groupstudy.com
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> _______________________________________________________________________
> > > > Please help support GroupStudy by purchasing your study materials
> from:
> > > > http://shop.groupstudy.com
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials
> from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:38 GMT-3