From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Mon Jun 07 2004 - 12:34:57 GMT-3
That would be too much info for reflexive ACLs. (sessions that is)
What seems to be happening is that the reflexive list not only contains
the protocol (icmp) source and destination, but also the icmp code that
is "open" by the reflect.
I tested that even though the ping (icmp echo) can not pass during the
hole life, an icmp echo-response can.
No doubt, reflect is more complex than it seems...
John Underhill wrote:
> I think the reflexive access list is evaluating against a session initiated
> from inside the network during the echo exchange. When you are pinging the
> router from outside the network, it is not the same session, but one
> originated from a different source, evaluated, and discarded because ICMP it
> is not permitted on the inbound access list.
>
>
> ----- Original Message -----
> From: "Nancy Khln" <nancy_merill@yahoo.com>
> To: <ccielab@groupstudy.com>
> Sent: Saturday, June 05, 2004 2:09 PM
> Subject: Reflexive!
>
>
>
>>Hi,
>>
>>Couple of questions regarding Reflexive ACL, here is the scenario:
>>
>>
>
> R1-s0(11.11.11.2)---------------------s1--R2--e0-------------------------BB3
> ---l0(51.1.1.1)---
>
>>For testing reasons, I am running RIP&BGP between R2 and BB3
>>Before I configured my Reflexive ALs I am able to ping everything from
>
> everywhere, once the Reflexive AL are in place, I am able to ping BB3 from
> R1, as traffic is leaving the network it is "reflected" to the state table.
>
>>The ICMP traffic when tries to come back in it is "evaluated" to see if
>
> there
>
>>is a previous entry in the state table, it finds the entry and it goes
>
> throught he ping is successfull.Am I correct?
>
>>R1#ping 51.1.1.1
>>Type escape sequence to abort.
>>Sending 5, 100-byte ICMP Echos to 51.1.1.1, timeout is 2 seconds:
>>!!!!!
>>Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/40 m
>>
>> NOw from BB3 and I am trying to ping R1's0, I was expecting to get a
>
> response since there is a previosly created entry in the table. It DOES NOT
> I am getting unreachable
>
>>Type escape sequence to abort.
>>Sending 5, 100-byte ICMP Echos to 11.11.11.2, timeout is 2 seconds:
>>U.U.U
>>Success rate is 0 percent (0/5)
>>
>>Here is R2's config
>>
>>interface Ethernet0/0
>> ip address 14.14.14.1 255.255.255.0
>> ip access-group INBOUND in
>> ip access-group OUTBOUND out
>>!
>>Extended IP access list INBOUND
>> permit udp any any (104 matches)
>> permit tcp any any (68 matches)
>> evaluate TRAFFIC
>> deny ip any any (44 matches)
>>Extended IP access list OUTBOUND
>> permit udp any any reflect TRAFFIC
>> permit tcp any any reflect TRAFFIC
>> permit icmp any any reflect TRAFFIC
>>Reflexive IP access list TRAFFIC
>> permit icmp host 51.1.1.1 host 11.11.11.2 (11 matches) (time left
>
> 158)
>
>>R2#
>>As long as I have this temporary entry in the state table I should be able
>
> to ping from BB3
>
>>11.11.11.2 Am I correct? I should not be allowed to ping anything else on
>
> the network from BB3, from R2 I am not able to ping BB3 , this is OK, the
> OUBOUND list doesnt affect locally generated packets.
>
>>DO I need to add in the INBOUND list permit ICMP !!!!!! This would defeat
>
> its purpose, wouldn't it? and allowe everything to go through.....
>
>> Please advise.
>>Thank you
>>Nancy
>>
>>
>>---------------------------------
>>Do you Yahoo!?
>>Friends. Fun. Try the all-new Yahoo! Messenger
>>
>>_______________________________________________________________________
>>Please help support GroupStudy by purchasing your study materials from:
>>http://shop.groupstudy.com
>>
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:34 GMT-3