From: nenad pudar (nenad.pudar@gmail.com)
Date: Sat Nov 26 2005 - 00:50:43 GMT-3
Brian
This is good point and the answer why telnet was not working .Ping should
not be working since icmp is not allowed in OUTBOUND acl
It happens that I have nat configured on the router (also good exercise for
that)
ip nat inside source list 101 interface Loopback1 overload
RTF-R6#sh run interface loopback 8
Building configuration...
Current configuration : 80 bytes
!
interface Loopback8
ip address 192.168.8.1 255.255.255.0
ip nat inside
end
RTF-R6#sh run interface loopback 1
Building configuration...
Current configuration : 65 bytes
!
interface Loopback1
ip address 10.198.10.1 255.255.255.0
end
Extended IP access list 101
permit ip host 192.168.8.1 any time-range TIME (active) (12 matches)
RTF-R6#
Loopback 1 is part of ospf and reachible fro outside
RTF-R6#SH CONFIG | I telnet
RTF-R6#SH run | I telnet
ip telnet source-interface Loopback8
RTF-R6#clear logging
Clear logging buffer [confirm]
RTF-R6#telnet 172.16.31.1
Trying 172.16.31.1 ... Open
LABC ACCESS-ROUTER
Authorized Access Only
User Access Verification
Password:
Verify before commit
#R1exit
[Connection to 172.16.31.1 closed by foreign host]
RTF-R6#sh log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0
flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 422 messages logged
Logging Exception size (4096 bytes)
Trap logging: level informational, 241 message lines logged
Log Buffer (4096 bytes):
2.16.31.1 [10]
Nov 26 03:41:01: NAT*: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [9]
Nov 26 03:41:01: NAT*: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [9]
Nov 26 03:41:01: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [11]
Nov 26 03:41:01: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [11]
Nov 26 03:41:01: NAT*: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [10]
Nov 26 03:41:01: NAT*: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [10]
Nov 26 03:41:01: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [12]
Nov 26 03:41:01: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [12]
Nov 26 03:41:01: NAT*: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [11]
Nov 26 03:41:01: NAT*: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [11]
Nov 26 03:41:01: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [13]
Nov 26 03:41:01: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [13]
Nov 26 03:41:02: NAT*: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [12]
Nov 26 03:41:02: NAT*: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [12]
Nov 26 03:41:02: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [14]
Nov 26 03:41:02: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [14]
Nov 26 03:41:02: NAT*: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [13]
Nov 26 03:41:02: NAT*: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [13]
Nov 26 03:41:02: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [15]
Nov 26 03:41:02: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [15]
Nov 26 03:41:03: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [16]
Nov 26 03:41:03: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [16]
Nov 26 03:41:03: NAT*: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [14]
Nov 26 03:41:03: NAT*: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [14]
Nov 26 03:41:03: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [17]
Nov 26 03:41:03: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [17]
Nov 26 03:41:03: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [18]
Nov 26 03:41:03: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [18]
Nov 26 03:41:03: NAT*: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [15]
Nov 26 03:41:03: NAT*: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [15]
Nov 26 03:41:03: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [19]
Nov 26 03:41:03: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [19]
Nov 26 03:41:03: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [20]
Nov 26 03:41:03: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [20]
Nov 26 03:41:03: NAT*: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [16]
Nov 26 03:41:03: NAT*: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [16]
Nov 26 03:41:04: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [21]
Nov 26 03:41:04: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [21]
Nov 26 03:41:04: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [22]
Nov 26 03:41:04: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [22]
Nov 26 03:41:04: NAT*: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [17]
Nov 26 03:41:04: NAT*: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [17]
Nov 26 03:41:04: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [23]
Nov 26 03:41:04: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [23]
Nov 26 03:41:04: NAT*: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [18]
Nov 26 03:41:04: NAT*: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [18]
Nov 26 03:41:04: NAT*: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [19]
Nov 26 03:41:04: NAT*: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [19]
Nov 26 03:41:04: NAT: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [20]
Nov 26 03:41:04: NAT: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [20]
Nov 26 03:41:04: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [24]
Nov 26 03:41:04: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [24]
Nov 26 03:41:04: NAT: i: tcp (192.168.8.1, 11147) -> (172.16.31.1, 23) [25]
Nov 26 03:41:04: NAT: s=192.168.8.1->10.198.10.1, d=172.16.31.1 [25]
Nov 26 03:41:04: NAT*: o: tcp (172.16.31.1, 23) -> (10.198.10.1, 11147) [21]
Nov 26 03:41:04: NAT*: s=172.16.31.1, d=10.198.10.1->192.168.8.1 [21]
RTF-R6#
RTF-R6#
RTF-R6#sh ip access-lists INBOUND
Extended IP access list INBOUND
permit tcp any any eq bgp (328 matches)
permit ospf any any (160 matches)
permit icmp any any port-unreachable
permit icmp any any time-exceeded
permit tcp any eq ftp any gt 1023
permit tcp any any gt 1023 (49 matches) *** pat port11147*****
ping does not work since icmp not allowed in OUTBOUND
RTF-R6#ping 172.16.31.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.31.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
TNANKS
NENAD
On 11/25/05, Brian Dennis <bdennis@internetworkexpert.com> wrote:
>
> The problem is that you are testing it from the router with the reflexive
> ACL applied. Since by default, traffic sourced by the router is not
> affected by an outbound ACL, the traffic does not get reflected. Test this
> configuration from a router behind R6. If you want to be able to ping and
> telnet from R6, you can statically permit the returning traffic in the
> inbound ACL or policy route the traffic out a loopback. By policy routing
> the traffic out a loopback it will be "reflected" when to exits the router
> on your serial interface.
>
>
>
> HTH,
>
>
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
>
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> ------------------------------
>
> *From:* nenad pudar [mailto:nenad.pudar@gmail.com]
> *Sent:* Friday, November 25, 2005 12:09 PM
> *To:* Brian Dennis
> *Cc:* Cham; ccielab@groupstudy.com
> *Subject:* Re: Reflexive ACL - IE LAB2 Q10.8-10
>
>
>
> It is not clear to me what lab requirements are ,below I created one
> example in which only the trace route is allowed.
> In addition we should not break existing applications (bgp &ospf)
>
> interface Serial0/0
> description to to r1 0/1
> ip address 172.16.66.5 255.255.255.252
> ip access-group INBOUND in
> ip access-group OUTBOUND out
> ip nat outside
> encapsulation ppp
> ip ospf hello-interval 20
> ip ospf retransmit-interval 10
> ppp authentication chap PPP
> ppp chap hostname r6
> end
>
> RTF-R6#sh ip access-lists OUTBOUND
> Extended IP access list OUTBOUND
> permit tcp any any reflect TCP&UDP-TRAFFIC
> permit udp any any reflect TCP&UDP-TRAFFIC
>
> RTF-R6#sh ip access-lists INBOUND
> Extended IP access list INBOUND
> permit tcp any any eq bgp (62 matches)
> permit ospf any any (29 matches)
> permit icmp any any port-unreachable (4 matches)
> permit icmp any any time-exceeded
> evaluate TCP&UDP-TRAFFIC
>
>
> RTF-R6#telnet 172.16.66.6
> Trying 172.16.66.6 ...
> % Connection timed out; remote host not responding
>
> RTF-R6#ping 172.16.66.6
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.66.6, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> RTF-R6#tr 172.16.66.6
>
> Type escape sequence to abort.
> Tracing the route to 172.16.66.6
>
> 1 172.16.66.6 16 msec * 16 msec
>
> nenad
>
>
>
>
>
>
> On 11/25/05, *Brian Dennis* <bdennis@internetworkexpert.com> wrote:
>
> What does a reflexive ACL do? Reflexive ACL's watch the packet
> (reflect) and allow it to return (evaluate). When a packet is reflected
> the mirror image of that packet must be the one that returns. If it is
> not, then it can not be properly evaluated. Reflexive ACLs do not work
> for any traffic that does not behave in this straight forward manner.
> Standard FTP and TFTP are examples of applications that do not work in
> this straight forward manner of a mirror image of the packet returning.
>
> In Cisco's IOS implementation of traceroute, the first packet
> sent out is a UDP packet destined to port 33434 but the packet sent back
> by the routers in the path is an ICMP time-exceeded when the TTL is
> decremented to 0. Finally in Cisco's implementation the final
> destination sends an ICMP port-unreachable.
>
> So now that we understand how traceroute is implemented by Cisco
> IOS and how reflexive ACLs work, we know that we need to "statically"
> permit ICMP time-exceeded and ICMP port-unreachables in order for
> traceroute to work.
>
> HTH,
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On Behalf Of
> Cham
> Sent: Friday, November 25, 2005 10:22 AM
> To: ccielab@groupstudy.com
> Subject: RE: Reflexive ACL - IE LAB2 Q10.8-10
>
> Hello all,
>
> With reference to IE LAB2 Q10.8-10
>
> 10.10.10.1 10.10.10.2 150.1.19.1
> 150.1.19.2
> R1(gig4/1/0)----------------(gig4/0/0) R2
> (fast0/0/0)--------(fast0/1/0)R3
>
> R2 has a Reflexive ACL on fast 0/0/0 to effect ICMP from R1 to R2
>
> interface FastEthernet0/0/0
> ip address 150.1.19.1 255.255.255.0
> ip access-group EVAL in
> ip access-group REFLECT out
> no ip proxy-arp
> half-duplex
>
> Extended IP access list EVAL
> 10 evaluate TEST
> 15 permit icmp any any time-exceeded
> 16 permit icmp any any port-unreachable (2 matches)
> 20 permit ospf any any (98 matches)
> 30 permit tcp any any eq bgp (24 matches)
>
> Extended IP access list REFLECT
> 10 permit icmp any any reflect TEST (40 matches)
> 20 permit ip any any (3 matches) o
> ------------------------------
> ---- without this a traceroute
> form R1 will not work??
>
> I can see how the normal ICMP part of this config works. But why do I
> need the "permit ip any any" on the "REFLECT" ACL to get a trace route
> to work, I was thinking that the "permit icmp any any" would permit
> the trace route through and then reflect for an entry on the return
> path??
>
> I have also tried the below in place of the "permit icmp any any
> reflect TEST" in the "REFLECT" but this also not work?
>
> permit icmp any any time-exceeded reflect TEST
> permit icmp any any port-unreachable reflect TEST
>
> I feel my understanding of the ICMP type/code is at a loss?
>
> Thanks for any help on thisb&.
> CG
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:07 GMT-3