From: gladston@br.ibm.com
Date: Sat Oct 30 2004 - 11:57:57 GMT-3
If the task says to apply a reflexive list on R6-atm3/0 internal interface, and R6 is connected to the remote router BB through ATM, I figure out that R6 is the internal router and BB is the external router.
But I must be missing something. I do not agree with the direction used on the Lab5 CiscoPress.
I read a Threat sometime ago in GroupStudy about this (http://www.groupstudy.com/archives/cisco/200409/msg00117.html) (and thanks John Matijevic for the Ten Tips).What is not clear for me is the direction used.
R6(atm)--------(atm)BB
If R6 (atm) is internal, R6 packets going out of R6 should be reflected (analysed to open holes on the opposite direction).
Or I am misundertanding it and the wording means the opposite site (BB) is the internal network. If so, why use Reflexive list on R6? (ok, the lab question is not intended to have real sense).
The solution used on the book is:
R6
int atm 3/0
ip access-group in-filters in
ip access-group out-filter out
!
ip access-list extended in-filters
permit tcp any any reflect tcp-traffic
!
ip access-list extended out-filters
permit tcp any any eq bgp
permit pim any any
permit icmp any any
deny ip any any
evaluate tcp-traffic
(you can see there is an error, "evaluate tcp-traffic" is after 'deny ip any any', but it is not the subject of this threat).
What I think would be right, considering R6-atm the internal interface is:
R6
int atm 3/0
ip access-group in-filters in
ip access-group out-filter out
!
ip access-list extended out-filters
permit tcp any any reflect tcp-traffic
permit pim any any
permit icmp any any
!
ip access-list extended in-filters
evaluate tcp-traffic
permit icmp any any
permit pim any any
permit tcp any any eq bgp
But the wording on the task is confusing me; if R6-atm is the internal interface, the external interface would be R6 ethernet, and in that case the solution used on the lab makes sense. Any help?
This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:54 GMT-3