From: Ahmed Mustafa (ahmed.mustafa@sbcglobal.net)
Date: Thu Mar 11 2004 - 15:54:23 GMT-3
The whole idea of Reflaxive List is to allow the packets originated behind the
originator device.
For example,
If I am required to allow only telnet packets from the outside network to one
of my routers behind the Internet router.
ISP router ----------------------------------(S0) (My Internet router)
(E0)--------------------------------(E0) (My Edge router) (E1)------Local LAN
where telnet server resides at 172.16.10.25. I could do this:
IP access-list extended INBOUND
permit tcp any any reflect REFLEXIVE
IP access-list extended OUTBOUND
permit tcp any host 172.16.10.25 eq Telnet-------------> This is per
Documentation, but I don't seem to agree with that. To me, it should be like
that
"permit tcp host 172.16.10.25 eq telnet any". The reason is because when a
host at ISP originates
a request with the host being the SOURCE and telnet server being the
DESTINATION and when the server
replies back to the request coming from the host it then becomes the SOURCE
and host becomes the
DESTINATION.
That is the basic rule I learned when started configuring access-list, but
why we wouldn't apply the same
logic for reflexive access-list. I know I am wrong but needs some
expalanation.
evaluate REFLEXIVE
int e0
ip access-group INBOUND in
ip access-group OUTBOUND out
Regards,
Ahmed
This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:17 GMT-3