From: easyman (easyman@primetek.com.tw)
Date: Fri Jan 13 2006 - 06:12:22 GMT-3
I think it's ok to have this result.
It depends on how you apply your acl.
I didn't see how you apply the acl on the interfaces.
I supposed you applied the "TCPIN" on the inbound direction of R1's trusted
interface, and "TCPOUT" on the inbound of R1's untrusted interface.
So lets break it down,
1. you issue the telnet command on one router beyond the trust interface. (
src ip 192.168.1.3 src port 11002, dst ip 172.16.1.4 dst port 23 )
2. the packet traveral across the router with ACL "TCPIN" and match the "30
permit tcp any any eq telnet reflect TELNET"
3. the Reflexive ACL adds the entry (an reverse entry as opposed to stpe1
src ip 172.16.1.4 src port 23 dst ip 192.168.1.3 dst port 11002)
4. Thus the returned telnet packet can enter R1's untrusted interface and
match the "20 evaluate TELNET" and back to R1.
From my test it show as following
R1(S0/0)-------(S0/0.201)R2(S0/0.203)------(S0/0)R3
R1 telnet to R3
R2
interface Serial0/0.201 point-to-point
ip address 10.1.1.2 255.255.255.0
ip access-group TCPIN in
frame-relay interface-dlci 201
!
interface Serial0/0.203 point-to-point
ip address 10.1.2.2 255.255.255.0
ip access-group TCPOUT in
frame-relay interface-dlci 203
r2#sh access-lists
Extended IP access list TCPIN
10 permit ospf any any
20 permit icmp any any (281 matches)
30 permit tcp any any eq telnet reflect TELNET
Extended IP access list TCPOUT
10 permit ospf any any
20 evaluate TELNET
Reflexive IP access list TELNET
permit tcp host 10.1.2.3 eq telnet host 10.1.1.1 eq 11004 (26 matches)
(time left 295)
HTH.
Regards,
Lin
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Schulz, Dave
Sent: Thursday, January 12, 2006 11:42 PM
To: ccielab@groupstudy.com
Subject: Reflexive ACL entry question
I am working with some reflexive ACLs. Everything is working fine,
but.....doing a telnet from router through to another....I noticed that
the return path was going to port 11002, rather than the expected port
23. I could not find any documentation on this. Does anyone have any
information on this, or, at least point me to the information. Thanks
in advance!
R1#sh ip access
Extended IP access list TCPIN
10 permit ospf any any (8 matches)
20 permit icmp any any (20 matches)
30 permit tcp any any eq telnet reflect TELNET (31 matches)
Extended IP access list TCPOUT
10 permit ospf any any (1 match)
20 evaluate TELNET
Reflexive IP access list TELNET
permit tcp host 172.16.1.4 eq telnet host 192.168.1.3 eq 11002 (52
matches) (time left 293)
Dave
Dave Schulz,
Email: dschulz@dpsciences.com <mailto:dschulz@dpsciences.com >
This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:48 GMT-3