From: John Underhill (stepnwlf@magma.ca)
Date: Sat Jun 05 2004 - 17:59:35 GMT-3
I think the reflexive access list is evaluating against a session initiated
from inside the network during the echo exchange. When you are pinging the
router from outside the network, it is not the same session, but one
originated from a different source, evaluated, and discarded because ICMP it
is not permitted on the inbound access list.
----- Original Message -----
From: "Nancy Khln" <nancy_merill@yahoo.com>
To: <ccielab@groupstudy.com>
Sent: Saturday, June 05, 2004 2:09 PM
Subject: Reflexive!
> Hi,
>
> Couple of questions regarding Reflexive ACL, here is the scenario:
>
>
R1-s0(11.11.11.2)---------------------s1--R2--e0-------------------------BB3
---l0(51.1.1.1)---
>
> For testing reasons, I am running RIP&BGP between R2 and BB3
> Before I configured my Reflexive ALs I am able to ping everything from
everywhere, once the Reflexive AL are in place, I am able to ping BB3 from
R1, as traffic is leaving the network it is "reflected" to the state table.
> The ICMP traffic when tries to come back in it is "evaluated" to see if
there
> is a previous entry in the state table, it finds the entry and it goes
throught he ping is successfull.Am I correct?
> R1#ping 51.1.1.1
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 51.1.1.1, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/40 m
>
> NOw from BB3 and I am trying to ping R1's0, I was expecting to get a
response since there is a previosly created entry in the table. It DOES NOT
I am getting unreachable
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 11.11.11.2, timeout is 2 seconds:
> U.U.U
> Success rate is 0 percent (0/5)
>
> Here is R2's config
>
> interface Ethernet0/0
> ip address 14.14.14.1 255.255.255.0
> ip access-group INBOUND in
> ip access-group OUTBOUND out
> !
> Extended IP access list INBOUND
> permit udp any any (104 matches)
> permit tcp any any (68 matches)
> evaluate TRAFFIC
> deny ip any any (44 matches)
> Extended IP access list OUTBOUND
> permit udp any any reflect TRAFFIC
> permit tcp any any reflect TRAFFIC
> permit icmp any any reflect TRAFFIC
> Reflexive IP access list TRAFFIC
> permit icmp host 51.1.1.1 host 11.11.11.2 (11 matches) (time left
158)
> R2#
> As long as I have this temporary entry in the state table I should be able
to ping from BB3
> 11.11.11.2 Am I correct? I should not be allowed to ping anything else on
the network from BB3, from R2 I am not able to ping BB3 , this is OK, the
OUBOUND list doesnt affect locally generated packets.
> DO I need to add in the INBOUND list permit ICMP !!!!!! This would defeat
its purpose, wouldn't it? and allowe everything to go through.....
> Please advise.
> Thank you
> Nancy
>
>
> ---------------------------------
> Do you Yahoo!?
> Friends. Fun. Try the all-new Yahoo! Messenger
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:33 GMT-3