RE: REFLXIVE access-list QUESTION

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Tue Apr 05 2005 - 10:07:33 GMT-3

• Next message: Matt White: "Passed in RTP Yesterday"
• Previous message: cciewillbe: "post question"
• Maybe in reply to: mani poopal: "REFLXIVE access-list QUESTION"
• Next in thread: simon hart: "RE: REFLXIVE access-list QUESTION"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Simon,

        Actually locally generated traffic is not reflected, and hence
must be manually permitted back in (unless local policy routing is
used). Here are some previous threads you can reference on this topic:

http://www.groupstudy.com/archives/ccielab/200311/msg01170.html

http://www.groupstudy.com/archives/ccielab/200309/msg00263.html

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: simon hart [mailto:simon.hart@btinternet.com]
> Sent: Tuesday, April 05, 2005 7:33 AM
> To: mani poopal; Brian McGahan; Jim; Jongsoo kim
> Cc: ccielab@groupstudy.com
> Subject: RE: REFLXIVE access-list QUESTION
>
> Hi Mani,
>
> Looks like my last email was incorrect in relation to Traceroute.
Refer to
> Brian's.
>
> However I think the point on locally generated ICMP traffic holds for
> stuff
> such as Ping
>
> Apologies
>
> Simon
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> mani
> poopal
> Sent: 05 April 2005 12:38
> To: Brian McGahan; Jim; Jongsoo kim
> Cc: ccielab@groupstudy.com
> Subject: RE: REFLXIVE access-list QUESTION
>
>
> Brian,
>
> I thought icmp traffic cannot be reflected, for eg traceroute from
> inside(,
> used udp as source and reply as icmp). So do assume we are reflecting
> icmp
> and unless asked in the question do we need permit icmp any any port
> unreachable and permit icmp any any time exceeded.
> P.S: I am going throough your work book again. Good concepts and I
might
> ask lots of doubts
>
> thanks
>
> Mani
>
> Brian McGahan <bmcgahan@internetworkexpert.com> wrote:
> Mani,
>
> If you are going to "permit icmp any any" inbound what's the
> point of reflecting it outbound?
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > mani poopal
> > Sent: Monday, April 04, 2005 1:14 PM
> > To: Jim; Jongsoo kim
> > Cc: ccielab@groupstudy.com
> > Subject: Re: REFLXIVE access-list QUESTION
> >
> > Hi Group,
> >
> > So what is the correct configuration, are we going to reflect icmp
and
> > allow icmp port unreachable & time exceeded explicitely inbound or
> allow
> > icmp any any explicitely inbound. In the IEWB labs they permit
> > unreachables/time exceeded. Any comments from Brian, Scott, Bob,
> Bruse,
> > Tim and others are welcome
> >
> > thanks
> >
> > Mani
> >
> > Jim wrote:
> > anyway, you need to permit time-exceeded & port-unreachable to let
> > traceroute work properly.
> >
> > ----- Original Message -----
> > From: "Jongsoo kim"
> > To: "mani poopal"
> > Cc:
> > Sent: Monday, April 04, 2005 1:35 PM
> > Subject: Re: REFLXIVE access-list QUESTION
> >
> >
> > > Mani
> > >
> > > My gut feeling say you don't need "permit icmp any any" .
> > > I believe your reflexive ACL can track traceroute initiated from
> > > 133.13.0.0.
> > > Don't quote on me 100%.
> > >
> > >
> > > Jongsoo
> > >
> > >
> > > On Apr 4, 2005 1:38 AM, mani poopal wrote:
> > >> Hi Group,
> > >>
> > >> Can we make icmp traffic to be reflected(I think you cannot
reflect
> > >> traceroute initiated from inside). If a question asks to allow
only
> > >> traffic originated from your network 133.13.0.0 for tcp, udp and
> icmp
> > >> traffic to comeback , what is the correct statement.
> > >> =================================
> > >> Extended IP access list INBOUND
> > >> permit udp any any eq rip
> > >> permit tcp any any eq bgp
> > >> permit tcp any eq bgp any
> > >> permit icmp any any<---------DO WE NEED THIS OR BELOW STMENT 3.
> > >> evaluate MYREF
> > >> Extended IP access list OUTBOUND
> > >> permit tcp 133.13.0.0 0.0.255.255 any reflect MYREF
> > >> permit udp 133.13.0.0 0.0.255.255 any reflect MYREF
> > >> permit icmp 133.13.0.0 0.0.255.255 any reflect MYREF
> > >> interface FastEthernet0/0
> > >> ip access-group INBOUND in
> > >> ip access-group OUTBOUND out
> > >> ========================================
> > >> ASSUMPTION: running rip and ospf.
> > >> 1.do we have to reflect icmp
> > >> 2.do we have to just allow icmp without reflection
> > >> 3.If we reflect icmp, for inbound do we need permit icmp any any
OR
> > >> permit icmp any any time-exceeded & permit icmp any any
> > >> port-unreachables(needed for traceroute)
> > >>
> > >> Any suggestions are appreciated.
> > >>
> > >> thanks
> > >>
> > >> Mani
> > >>
> > >> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> > >> (416)431 9929
> > >> MANI_CCIE@YAHOO.COM
> > >>
> > >>
> > >> ---------------------------------
> > >> Post your free ad now! Yahoo! Canada Personals
> > >>
> > >>
>

• Next message: Matt White: "Passed in RTP Yesterday"
• Previous message: cciewillbe: "post question"
• Maybe in reply to: mani poopal: "REFLXIVE access-list QUESTION"
• Next in thread: simon hart: "RE: REFLXIVE access-list QUESTION"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:53 GMT-3