RE: REFLXIVE access-list QUESTION

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Tue Apr 05 2005 - 09:17:22 GMT-3

• Next message: simon hart: "RE: REFLXIVE access-list QUESTION"
• Previous message: mani poopal: "RE: REFLXIVE access-list QUESTION"
• Maybe in reply to: mani poopal: "REFLXIVE access-list QUESTION"
• Next in thread: simon hart: "RE: REFLXIVE access-list QUESTION"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mani,

        UDP and TCP traceroute cannot be reflected because they send UDP/TCP out and expect ICMP back. Other forms of ICMP, such as PING, can be reflected because it sends ICMP out and expects ICMP back. Try it out on the command line and see what the behavior is.

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

________________________________________
From: mani poopal [mailto:mani_ccie@yahoo.com]
Sent: Tuesday, April 05, 2005 6:38 AM
To: Brian McGahan; Jim; Jongsoo kim
Cc: ccielab@groupstudy.com
Subject: RE: REFLXIVE access-list QUESTION

Brian,
 
I thought icmp traffic cannot be reflected, for eg traceroute from inside(, used udp as source and reply as icmp). So do assume we are reflecting icmp and unless asked in the question do we need permit icmp any any port unreachable and permit icmp any any time exceeded.
P.S: I am going throough your work book again. Good concepts and I might ask lots of doubts
 
thanks
 
Mani

Brian McGahan <bmcgahan@internetworkexpert.com> wrote:
Mani,

If you are going to "permit icmp any any" inbound what's the
point of reflecting it outbound?

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> mani poopal
> Sent: Monday, April 04, 2005 1:14 PM
> To: Jim; Jongsoo kim
> Cc: ccielab@groupstudy.com
> Subject: Re: REFLXIVE access-list QUESTION
>
> Hi Group,
>
> So what is the correct configuration, are we going to reflect icmp and
> allow icmp port unreachable & time exceeded explicitely inbound or
allow
> icmp any any explicitely inbound. In the IEWB labs they permit
> unreachables/time exceeded. Any comments from Brian, Scott, Bob,
Bruse,
> Tim and others are welcome
>
> thanks
>
> Mani
>
> Jim wrote:
> anyway, you need to permit time-exceeded & port-unreachable to let
> traceroute work properly.
>
> ----- Original Message -----
> From: "Jongsoo kim"
> To: "mani poopal"
> Cc:
> Sent: Monday, April 04, 2005 1:35 PM
> Subject: Re: REFLXIVE access-list QUESTION
>
>
> > Mani
> >
> > My gut feeling say you don't need "permit icmp any any" .
> > I believe your reflexive ACL can track traceroute initiated from
> > 133.13.0.0.
> > Don't quote on me 100%.
> >
> >
> > Jongsoo
> >
> >
> > On Apr 4, 2005 1:38 AM, mani poopal wrote:
> >> Hi Group,
> >>
> >> Can we make icmp traffic to be reflected(I think you cannot reflect
> >> traceroute initiated from inside). If a question asks to allow only
> >> traffic originated from your network 133.13.0.0 for tcp, udp and
icmp
> >> traffic to comeback , what is the correct statement.
> >> =================================
> >> Extended IP access list INBOUND
> >> permit udp any any eq rip
> >> permit tcp any any eq bgp
> >> permit tcp any eq bgp any
> >> permit icmp any any<---------DO WE NEED THIS OR BELOW STMENT 3.
> >> evaluate MYREF
> >> Extended IP access list OUTBOUND
> >> permit tcp 133.13.0.0 0.0.255.255 any reflect MYREF
> >> permit udp 133.13.0.0 0.0.255.255 any reflect MYREF
> >> permit icmp 133.13.0.0 0.0.255.255 any reflect MYREF
> >> interface FastEthernet0/0
> >> ip access-group INBOUND in
> >> ip access-group OUTBOUND out
> >> ========================================
> >> ASSUMPTION: running rip and ospf.
> >> 1.do we have to reflect icmp
> >> 2.do we have to just allow icmp without reflection
> >> 3.If we reflect icmp, for inbound do we need permit icmp any any OR
> >> permit icmp any any time-exceeded & permit icmp any any
> >> port-unreachables(needed for traceroute)
> >>
> >> Any suggestions are appreciated.
> >>
> >> thanks
> >>
> >> Mani
> >>
> >> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> >> (416)431 9929
> >> MANI_CCIE@YAHOO.COM
> >>
> >>
> >> ---------------------------------
> >> Post your free ad now! Yahoo! Canada Personals
> >>
> >>

• Next message: simon hart: "RE: REFLXIVE access-list QUESTION"
• Previous message: mani poopal: "RE: REFLXIVE access-list QUESTION"
• Maybe in reply to: mani poopal: "REFLXIVE access-list QUESTION"
• Next in thread: simon hart: "RE: REFLXIVE access-list QUESTION"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:52 GMT-3