From: Navin MS (navin_ms07@yahoo.com)
Date: Wed Jun 07 2006 - 19:06:14 ART
Yes, as Elias told, return traffic has to be explicitly allowed by using an access-list.
Both the options you told will allow telnet traffic was originated from behind the router but
NEITHER of them will help you allow your own router's traffic back.
A word of caution though... It was exactly at this stage of the lab where I broke routing
connectivities between routers. Be very careful to always allow your routing traffic in when using
Reflexive Access list. Because a locally generated routing traffic will NOT be reflected, it is
denied from coming in :( Sad, but true.
Naveen.
--- Elias Chari <elias.chari@gmail.com> wrote:
> Carlos,
>
> If the traffic is originated by the router, it will not be reflected,
> therefore the return traffic will be dropped. You need to allow it
> explicitely in.
>
> Rgds
> Elias
>
>
> On 6/7/06, Carlos Campos Torres (ccampost) <ccampost@cisco.com> wrote:
> >
> > Yup, I was reading on that and I totally agree, just wondering if I had
> > something like that for exam purposes if the result would be the same (I
> > think it would at the end, one more secure than the other though).
> >
> > Thanks Ben and Savjani for replying,
> >
> > Carlos Campos CCNP, CCDP
> > Associate Systems Engineer
> > Cisco Systems, Inc
> > (919) 392-6285
> >
> >
> >
> > -----Original Message-----
> > From: Ben [mailto:ccieben@cox.net]
> > Sent: Wednesday, June 07, 2006 3:00 PM
> > To: Carlos Campos Torres (ccampost)
> > Cc: ccielab@groupstudy.com
> > Subject: Re: Reflexive ACL vs Telnet established
> >
> > Hi Carlos,
> >
> > The "established" keyword in a router ACL is just checking for the TCP
> > ACK or RST bit set in the header:
> > "For the TCP protocol only: Indicates an established connection. A match
> > occurs if the TCP datagram has the ACK or RST bit set. The nonmatching
> > case is that of the initial TCP datagram to form a connection."
> >
> > So, in theory, if someone was altering the header info - the packet
> > would pass through your ACL.
> >
> > In contrast - the reflexive list is a sort-of-stateful-firewall-like
> > mechanism that only allows the return traffic it was originated by
> > matching your reflect statement. You can see these reflexive entries
> > with a "show access-list"
> >
> > HTH
> >
> > Ben
> >
> >
> > Carlos Campos Torres (ccampost) wrote:
> > > Hi all,
> > >
> > > Just wondering what the difference between allowing telnet in a
> > > reflexive ACL and just creating an access-list with the established
> > > keyword would be.
> > >
> > > Example: In Internetwork Experts Lab 5 Task 9.1 they ask to have
> > > telnet connectivity if a router started the connection
> > >
> > > Option 1)
> > >
> > > R2(config)#ip access-list extended INBOUND R2(config-ext-nacl)#permit
> > > tcp any eq telnet any established
> > >
> > > Option 2)
> > > R2(config)#ip access-list extended INBOUND
> > > R2(config-ext-nacl)#evaluate REFLECT
> > > R2(config)#ip access-list extended OUTBOUND R2(config-ext-nacl)#permit
> >
> > > tcp any any eq telnet reflect REFLECT
> > >
> > > What would be the difference between doing it one way or the other?
> > >
> > > Any comments will be highly appreciated
> > >
> > > Thanks!
> > >
> > > Carlos Campos
> > >
> > > ______________________________________________________________________
> > > _ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:32 ART