From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Jul 20 2004 - 21:59:11 GMT-3
Gerry is correct. The reflexise acl doesn't "reflect" traffic that
originates from the router itself. FYI, there are 2 ways to have this
traffic by subject to the acl:
a) Use policy based routing to have traffic routed to another interface on
the router to "fool" the router into applying this traffic to the reflexive
or
b) Just add enters in your acl to allow the traffic back in.
There's an excellent example of this in the IE workbook in one of the first
5 labs. ( Sorry, off-hand, I don't remember which lab)
HTH
----- Original Message -----
From: <Jongsoo.Kim@Intelsat.com>
To: <gerry.hilton@rogers.com>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, July 20, 2004 8:34 PM
Subject: RE: reflexive ACL question
> Yes it works from behind R1.
>
> Thanks !!!
>
> Jongsoo
>
> -----Original Message-----
> From: Gerry Hilton [mailto:gerry.hilton@rogers.com]
> Sent: Tuesday, 20 July, 2004 7:19 PM
> To: Kim, Jongsoo
> Cc: ccielab@groupstudy.com
> Subject: Re: reflexive ACL question
>
>
> Hi. I believe that the problem is that traffic that the router
> originates will not get evaluated. Try your telnet from a router behind
R1.
>
> Gerry
>
> jongsoo.kim@intelsat.com wrote:
>
> >I set up a simple lab
> >
> >R1 e0 .1 -----10.0.0.0/8 ----- .2 R2
> >
> >R1 IOS is : IOS (tm) 2500 Software (C2500-JS-L), Version 12.2(16),
RELEASE
> SOFTWARE (fc3)
> >
> >I configure a simple reflexive ACL using telnet but it doesn't seem
> working.
> >What am I missing?
> >
> >r1#telnet 10.0.0.2
> >Trying 10.0.0.2 ...
> >% Connection timed out; remote host not responding
> >
> >Here is R1 summary config
> >
> >ip reflexive-list timeout 240
> >interface Ethernet0
> > ip address 10.0.0.1 255.0.0.0
> > ip access-group in1 in
> > ip access-group out1 out
> >
> >ip access-list extended in1
> > evaluate mytest
> >
> >ip access-list extended out1
> > permit tcp any any reflect mytest timeout 120
> >
> >
> >
> >If I remove ACL in R1-e0, I can Telnet R2
> >
> >interface Ethernet0
> > ip address 10.0.0.1 255.0.0.0
> >!
> >
> >r1#telnet 10.0.0.2
> >Trying 10.0.0.2 ... Open
> >
> >
> >User Access Verification
> >
> >Password:
> >
> >_______________________________________________________________________
> >Please help support GroupStudy by purchasing your study materials from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
>
> ############################################################
>
> Building on 40 Years of Leadership - As a global communications leader
with 40 years of experience, Intelsat helps service providers,
> broadcasters, corporations and governments deliver information and
entertainment anywhere in the world, instantly, securely and reliably.
>
> ############################################################
> This email message is for the sole use of the intended
> recipient(s) and may contain confidential and privileged
> information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply email and
> destroy all copies of the original message. Any views
> expressed in this message are those of the individual
> sender, except where the sender specifically states them
> to be the views of Intelsat, Ltd. and its subsidiaries.
> ############################################################
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:59 GMT-3