Re: REFLXIVE access-list QUESTION

From: mani poopal (mani_ccie@yahoo.com)
Date: Mon Apr 04 2005 - 15:13:55 GMT-3

• Next message: SIMON HART: "Re: Comments on Jongsoo's CCIE Checklist"
• Previous message: Jongsoo kim: "Re: Comments on Jongsoo's CCIE Checklist"
• Maybe in reply to: mani poopal: "REFLXIVE access-list QUESTION"
• Next in thread: Ed Lui: "Re: REFLXIVE access-list QUESTION"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Group,
 
So what is the correct configuration, are we going to reflect icmp and allow icmp port unreachable & time exceeded explicitely inbound or allow icmp any any explicitely inbound. In the IEWB labs they permit unreachables/time exceeded. Any comments from Brian, Scott, Bob, Bruse, Tim and others are welcome
 
thanks
 
Mani

Jim <quangnn@hptvietnam.com.vn> wrote:
anyway, you need to permit time-exceeded & port-unreachable to let
traceroute work properly.

----- Original Message -----
From: "Jongsoo kim"
To: "mani poopal"
Cc:
Sent: Monday, April 04, 2005 1:35 PM
Subject: Re: REFLXIVE access-list QUESTION

> Mani
>
> My gut feeling say you don't need "permit icmp any any" .
> I believe your reflexive ACL can track traceroute initiated from
> 133.13.0.0.
> Don't quote on me 100%.
>
>
> Jongsoo
>
>
> On Apr 4, 2005 1:38 AM, mani poopal wrote:
>> Hi Group,
>>
>> Can we make icmp traffic to be reflected(I think you cannot reflect
>> traceroute initiated from inside). If a question asks to allow only
>> traffic originated from your network 133.13.0.0 for tcp, udp and icmp
>> traffic to comeback , what is the correct statement.
>> =================================
>> Extended IP access list INBOUND
>> permit udp any any eq rip
>> permit tcp any any eq bgp
>> permit tcp any eq bgp any
>> permit icmp any any<---------DO WE NEED THIS OR BELOW STMENT 3.
>> evaluate MYREF
>> Extended IP access list OUTBOUND
>> permit tcp 133.13.0.0 0.0.255.255 any reflect MYREF
>> permit udp 133.13.0.0 0.0.255.255 any reflect MYREF
>> permit icmp 133.13.0.0 0.0.255.255 any reflect MYREF
>> interface FastEthernet0/0
>> ip access-group INBOUND in
>> ip access-group OUTBOUND out
>> ========================================
>> ASSUMPTION: running rip and ospf.
>> 1.do we have to reflect icmp
>> 2.do we have to just allow icmp without reflection
>> 3.If we reflect icmp, for inbound do we need permit icmp any any OR
>> permit icmp any any time-exceeded & permit icmp any any
>> port-unreachables(needed for traceroute)
>>
>> Any suggestions are appreciated.
>>
>> thanks
>>
>> Mani
>>
>> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
>> (416)431 9929
>> MANI_CCIE@YAHOO.COM
>>
>>
>> ---------------------------------
>> Post your free ad now! Yahoo! Canada Personals
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: SIMON HART: "Re: Comments on Jongsoo's CCIE Checklist"
• Previous message: Jongsoo kim: "Re: Comments on Jongsoo's CCIE Checklist"
• Maybe in reply to: mani poopal: "REFLXIVE access-list QUESTION"
• Next in thread: Ed Lui: "Re: REFLXIVE access-list QUESTION"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:52 GMT-3