From: bindong.shi@gmail.com
Date: Sat Aug 05 2006 - 21:32:08 ART
I have 3 routers:
R1(17.17.17.1)----inside-----(17.17.17.7)R2(12.12.12.7)---outside----(12.12.12.8)R3
I like to implement Ref ACL on R2, only allow TCP , UDP, ICMP and traceroute initiated from inside network. Here is my configure:
R2:
interface e0
description connect to R3
ip access-group Incoming in
ip access-group Outgoing out
ip access-list extended Outgoing
permit tcp any any reflect temp
permit udp any any reflect temp
permit icmp any any reflect temp
ip access-list extended Incoming
permit eigrp any any
permit icmp any any port-unreachable
permit icmp any any time-exceeded
evaluate temp
Then I realized that I am not able to ping the loopback ip address of R3 (12.12.12.8), according to document, the traffic which was initiated on the r2 itself will not evaluated, So I added one more command in the access-list Incoming:
"permit icmp any any echo-reply"
Now I am able to ping the R3, my question is: I can understand from R2 cannot ping R3 without the last command I mentioned, but why I aslo can ping R3 from R1 only after I added that command. Since traffic from R1 is not originated from R2 locally.
there is not routing problem, every ip address is reachable.
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART