RE: Reflexive access-list

From: Nawaz, Ajaz (Ajaz.Nawaz@bskyb.com)
Date: Fri Oct 07 2005 - 03:52:51 GMT-3

• Next message: amir cohen: "Eigrp question"
• Previous message: Victor Cappuccio: "BSR Selection .."
• Maybe in reply to: dusth@comcast.net: "Reflexive access-list"
• Next in thread: simon hart: "RE: Reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From the url

"Where to Configure Reflexive Access Lists"

Configure reflexive access lists on border routers-routers that pass traffic
between an internal and external network. Often, these are firewall routers.

----------------------------------------------------------------------------
 Note In this chapter, the words "within your network" and "internal
network" refer to a network that is controlled (secured), such as your
organization's intranet, or to a part of your organization's internal
network that has higher security requirements than another part. "Outside
your network" and "external network" refer to a network that is uncontrolled
(unsecured) such as the Internet or to a part of your organization's network
that is not as highly secured.

----------------------------------------------------------------------------

hth
Ajaz Nawaz

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Jian
Gu
Sent: 06 October 2005 17:59
To: mani poopal
Cc: dusth@comcast.net; ccielab@groupstudy.com; Scott Morris
Subject: Re: Reflexive access-list

Mani,

Your statement is not true, depends on your network topology, reflexive ACL
can be configured both inbound and outbound. This is clearly explained in
the following url:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
u
r_c/ftrafwl/scfreflx.htm
Jian

On 10/6/05, mani poopal <mani_ccie@yahoo.com> wrote:
>
> Hi
>
> I think there is some thing wrong in the config, always reflect (put a
> seal) for outbound traffic(which should be permitted) and evaluate the
same
> traffic(relected) in the inbound direction, in your config you are
> reflecting inbound(in_filters) and it could be wrong. In the inbound
> direction permit whatever intereresting traffic(ping, ospf, bgp etc) and
> finally gvie evlauate XXXX command. In the outbound access-list you can
> define traffic to be reflected and any traffic defined without relect
> keyword, cannot comeback. Hope this helps.
>
>
> Mani
>
> dusth@comcast.net wrote:
> Hi all, I'm reading the cisco press ccie routing and switching practice
> labs by martin duggan and Maurulio gorito. On lab 5, says allow bgp and
any
> other traffic, and here is the config on the book:
> ip access-list extended in_filters
> permit tcp an an reflect TCP_Traffic
> ip access-list extended out_filters
> permit tcp an an eq bgp
> permit pim an an
> permit icmp an an
> int atm3/0
> ip access-group in_filters in
> ip access-group out_filters out
> I just wonder why the in access-list only reflect tcp traffic but not
> others. Should others traffic are implicitly denied? Or, others traffic
are
> just not reflected?
>
> Thanks for any explanation.
>
> dustin
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> B.ENG,MCSE,CCNP,CCSP,CCIE#14645
> (416)431 9929
> MANI_CCIE@YAHOO.COM
>
> ---------------------------------
> Yahoo! for Good
> Click here to donate to the Hurricane Katrina relief effort.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: amir cohen: "Eigrp question"
• Previous message: Victor Cappuccio: "BSR Selection .."
• Maybe in reply to: dusth@comcast.net: "Reflexive access-list"
• Next in thread: simon hart: "RE: Reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:49 GMT-3