From: Ashok CCIE (ashokma_ccie@yahoo.co.in)
Date: Sat Jul 30 2005 - 10:36:33 GMT-3
I am also facing same issue here. May I know the
solution here?
My config and topology is as follows:
R1 ---(eo) R2 --- R5
I am pingng R1 from R2 first and then try to ping R5
from R1.
Configs are:
~~~~
R2#
ip access-list extended incom
permit ospf any any
permit pim any any
permit igmp any any
evaluate ICMP
evaluate TCP_TRA
ip access-list extended outbound
permit tcp any any reflect TCP_TRA
permit icmp any any reflect ICMP
permit icmp any any echo reflect ICMP
permit icmp any any echo-reply reflect ICMP
interface Ethernet0
ip address 172.30.12.2 255.255.255.192
ip access-group incom in
ip access-group outbound out
ip pim sparse-mode
end
R2#
~~~~
R5#ping 192.168.1.1 source 192.168.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout
is 2 seconds:
Packet sent with a source address of 192.168.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 64/69/76 ms
R5#
R2#sh access-lists
Reflexive IP access list ICMP
permit icmp host 192.168.1.1 host 192.168.5.5 (10
matches) (time left 118)
Reflexive IP access list TCP_TRA
Extended IP access list incom
permit ospf any any (440 matches)
permit pim any any (143 matches)
permit igmp any any (142 matches)
evaluate ICMP
evaluate TCP_TRA
Extended IP access list outbound
permit tcp any any reflect TCP_TRA
permit icmp any any reflect ICMP
permit icmp any any echo reflect ICMP
permit icmp any any echo-reply reflect ICMP
R2#
Now ping from R1
R1#ping 192.168.5.5 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.5, timeout
is 2 seconds:
Packet sent with a source address of 192.168.1.1
U.U.U
Success rate is 0 percent (0/5)
R1#
Why this so?
Thanks & Regards,
Ashok M A
-----Original Message-----
From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf Of Carlos G
Mendioroz
Sent: Monday, June 07, 2004 9:05 PM
To: John Underhill
Cc: Nancy Khln; ccielab@groupstudy.com
Subject: Re: Reflexive!
That would be too much info for reflexive ACLs.
(sessions that is)
What seems to be happening is that the reflexive list
not only contains the protocol (icmp) source and
destination, but also the icmp code that is "open" by
the reflect.
I tested that even though the ping (icmp echo) can not
pass during the hole life, an icmp echo-response can.
No doubt, reflect is more complex than it seems...
John Underhill wrote:
> I think the reflexive access list is evaluating
against a session
> initiated from inside the network during the echo
exchange. When you
> are pinging the router from outside the network, it
is not the same
> session, but one originated from a different source,
evaluated, and
> discarded because ICMP it is not permitted on the
inbound access list.
>
>
> ----- Original Message -----
> From: "Nancy Khln" <nancy_merill@yahoo.com>
> To: <ccielab@groupstudy.com>
> Sent: Saturday, June 05, 2004 2:09 PM
> Subject: Reflexive!
>
>
>
>>Hi,
>>
>>Couple of questions regarding Reflexive ACL, here is
the scenario:
>>
>>
>
>
R1-s0(11.11.11.2)---------------------s1--R2--e0----------------------
> ---BB3
> ---l0(51.1.1.1)---
>
>>For testing reasons, I am running RIP&BGP between R2
and BB3 Before I
>>configured my Reflexive ALs I am able to ping
everything from
>
> everywhere, once the Reflexive AL are in place, I am
able to ping BB3
> from R1, as traffic is leaving the network it is
"reflected" to the state table.
>
>>The ICMP traffic when tries to come back in it is
"evaluated" to see
>>if
>
> there
>
>>is a previous entry in the state table, it finds the
entry and it goes
>
> throught he ping is successfull.Am I correct?
>
>>R1#ping 51.1.1.1
>>Type escape sequence to abort.
>>Sending 5, 100-byte ICMP Echos to 51.1.1.1, timeout
is 2 seconds:
>>!!!!!
>>Success rate is 100 percent (5/5), round-trip
min/avg/max = 36/36/40 m
>>
>> NOw from BB3 and I am trying to ping R1's0, I was
expecting to get a
>
> response since there is a previosly created entry
in the table. It
> DOES NOT I am getting unreachable
>
>>Type escape sequence to abort.
>>Sending 5, 100-byte ICMP Echos to 11.11.11.2,
timeout is 2 seconds:
>>U.U.U
>>Success rate is 0 percent (0/5)
>>
>>Here is R2's config
>>
>>interface Ethernet0/0
>> ip address 14.14.14.1 255.255.255.0
>> ip access-group INBOUND in
>> ip access-group OUTBOUND out
>>!
>>Extended IP access list INBOUND
>> permit udp any any (104 matches)
>> permit tcp any any (68 matches)
>> evaluate TRAFFIC
>> deny ip any any (44 matches)
>>Extended IP access list OUTBOUND
>> permit udp any any reflect TRAFFIC
>> permit tcp any any reflect TRAFFIC
>> permit icmp any any reflect TRAFFIC Reflexive IP
access list
>>TRAFFIC
>> permit icmp host 51.1.1.1 host 11.11.11.2 (11
matches) (time left
>
> 158)
>
>>R2#
>>As long as I have this temporary entry in the state
table I should be
>>able
>
> to ping from BB3
>
>>11.11.11.2 Am I correct? I should not be allowed to
ping anything else
>>on
>
> the network from BB3, from R2 I am not able to ping
BB3 , this is OK,
> the OUBOUND list doesnt affect locally generated
packets.
>
>>DO I need to add in the INBOUND list permit ICMP
!!!!!! This would
>>defeat
>
> its purpose, wouldn't it? and allowe everything to
go through.....
>
>> Please advise.
>>Thank you
>>Nancy
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:32 GMT-3