From: Carlos G Mendioroz (tron@huapi.ba.ar)
Date: Sat Jul 30 2005 - 11:10:51 GMT-3
As I said, the whole only lets icmp echo responses back. You are trying
to send icmp echo through the whole from the outside. No go :)
Ashok CCIE wrote:
> I am also facing same issue here. May I know the
> solution here?
>
> My config and topology is as follows:
>
> R1 ---(eo) R2 --- R5
>
> I am pingng R1 from R2 first and then try to ping R5
> from R1.
>
> Configs are:
> ~~~~
> R2#
> ip access-list extended incom
> permit ospf any any
> permit pim any any
> permit igmp any any
> evaluate ICMP
> evaluate TCP_TRA
>
> ip access-list extended outbound
> permit tcp any any reflect TCP_TRA
> permit icmp any any reflect ICMP
> permit icmp any any echo reflect ICMP
> permit icmp any any echo-reply reflect ICMP
>
> interface Ethernet0
> ip address 172.30.12.2 255.255.255.192
> ip access-group incom in
> ip access-group outbound out
> ip pim sparse-mode
> end
>
> R2#
> ~~~~
>
> R5#ping 192.168.1.1 source 192.168.5.5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout
> is 2 seconds:
> Packet sent with a source address of 192.168.5.5
> !!!!!
> Success rate is 100 percent (5/5), round-trip
> min/avg/max = 64/69/76 ms
> R5#
>
> R2#sh access-lists
> Reflexive IP access list ICMP
> permit icmp host 192.168.1.1 host 192.168.5.5 (10
> matches) (time left 118)
> Reflexive IP access list TCP_TRA
> Extended IP access list incom
> permit ospf any any (440 matches)
> permit pim any any (143 matches)
> permit igmp any any (142 matches)
> evaluate ICMP
> evaluate TCP_TRA
> Extended IP access list outbound
> permit tcp any any reflect TCP_TRA
> permit icmp any any reflect ICMP
> permit icmp any any echo reflect ICMP
> permit icmp any any echo-reply reflect ICMP
> R2#
>
>
> Now ping from R1
>
> R1#ping 192.168.5.5 source 192.168.1.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.5.5, timeout
> is 2 seconds:
> Packet sent with a source address of 192.168.1.1
> U.U.U
> Success rate is 0 percent (0/5)
> R1#
>
> Why this so?
>
>
>
> Thanks & Regards,
>
> Ashok M A
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of Carlos G
> Mendioroz
> Sent: Monday, June 07, 2004 9:05 PM
> To: John Underhill
> Cc: Nancy Khln; ccielab@groupstudy.com
> Subject: Re: Reflexive!
>
> That would be too much info for reflexive ACLs.
> (sessions that is)
>
> What seems to be happening is that the reflexive list
> not only contains the protocol (icmp) source and
> destination, but also the icmp code that is "open" by
> the reflect.
>
> I tested that even though the ping (icmp echo) can not
> pass during the hole life, an icmp echo-response can.
> No doubt, reflect is more complex than it seems...
>
> John Underhill wrote:
>
>
>>I think the reflexive access list is evaluating
>
> against a session
>
>>initiated from inside the network during the echo
>
> exchange. When you
>
>>are pinging the router from outside the network, it
>
> is not the same
>
>>session, but one originated from a different source,
>
> evaluated, and
>
>>discarded because ICMP it is not permitted on the
>
> inbound access list.
>
>>
>>----- Original Message -----
>>From: "Nancy Khln" <nancy_merill@yahoo.com>
>>To: <ccielab@groupstudy.com>
>>Sent: Saturday, June 05, 2004 2:09 PM
>>Subject: Reflexive!
>>
>>
>>
>>
>>>Hi,
>>>
>>>Couple of questions regarding Reflexive ACL, here is
>
> the scenario:
>
>>>
>>
> R1-s0(11.11.11.2)---------------------s1--R2--e0----------------------
>
>>---BB3
>>---l0(51.1.1.1)---
>>
>>
>>>For testing reasons, I am running RIP&BGP between R2
>
> and BB3 Before I
>
>>>configured my Reflexive ALs I am able to ping
>
> everything from
>
>>everywhere, once the Reflexive AL are in place, I am
>
> able to ping BB3
>
>>from R1, as traffic is leaving the network it is
>
> "reflected" to the state table.
>
>>>The ICMP traffic when tries to come back in it is
>
> "evaluated" to see
>
>>>if
>>
>>there
>>
>>
>>>is a previous entry in the state table, it finds the
>
> entry and it goes
>
>>throught he ping is successfull.Am I correct?
>>
>>
>>>R1#ping 51.1.1.1
>>>Type escape sequence to abort.
>>>Sending 5, 100-byte ICMP Echos to 51.1.1.1, timeout
>
> is 2 seconds:
>
>>>!!!!!
>>>Success rate is 100 percent (5/5), round-trip
>
> min/avg/max = 36/36/40 m
>
>>>NOw from BB3 and I am trying to ping R1's0, I was
>
> expecting to get a
>
>>response since there is a previosly created entry
>
> in the table. It
>
>>DOES NOT I am getting unreachable
>>
>>
>>>Type escape sequence to abort.
>>>Sending 5, 100-byte ICMP Echos to 11.11.11.2,
>
> timeout is 2 seconds:
>
>>>U.U.U
>>>Success rate is 0 percent (0/5)
>>>
>>>Here is R2's config
>>>
>>>interface Ethernet0/0
>>>ip address 14.14.14.1 255.255.255.0
>>>ip access-group INBOUND in
>>>ip access-group OUTBOUND out
>>>!
>>>Extended IP access list INBOUND
>>> permit udp any any (104 matches)
>>> permit tcp any any (68 matches)
>>> evaluate TRAFFIC
>>> deny ip any any (44 matches)
>>>Extended IP access list OUTBOUND
>>> permit udp any any reflect TRAFFIC
>>> permit tcp any any reflect TRAFFIC
>>> permit icmp any any reflect TRAFFIC Reflexive IP
>
> access list
>
>>>TRAFFIC
>>> permit icmp host 51.1.1.1 host 11.11.11.2 (11
>
> matches) (time left
>
>>158)
>>
>>
>>>R2#
>>>As long as I have this temporary entry in the state
>
> table I should be
>
>>>able
>>
>>to ping from BB3
>>
>>
>>>11.11.11.2 Am I correct? I should not be allowed to
>
> ping anything else
>
>>>on
>>
>>the network from BB3, from R2 I am not able to ping
>
> BB3 , this is OK,
>
>>the OUBOUND list doesnt affect locally generated
>
> packets.
>
>>>DO I need to add in the INBOUND list permit ICMP
>
> !!!!!! This would
>
>>>defeat
>>
>>its purpose, wouldn't it? and allowe everything to
>
> go through.....
>
>>>Please advise.
>>>Thank you
>>>Nancy
>
>
>
>
>
>
> __________________________________________________________
> How much free photo storage do you get? Store your friends 'n family snaps for FREE with Yahoo! Photos http://in.photos.yahoo.com
>
-- Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:32 GMT-3