RE: relexive ACL

From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Sat Aug 05 2006 - 22:23:52 ART

• Next message: Jian Gu: "Re: igmp snooping"
• Previous message: Victor Cappuccio: "RE: relexive ACL"
• Maybe in reply to: bindong.shi@gmail.com: "relexive ACL"
• Next in thread: secondie: "Re: relexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sorry for the last part.
Remember that traffic originated by the router would NOT be affected by the
Outgoing Access-list

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de Victor
Cappuccio
Enviado el: Sabado, 05 de Agosto de 2006 09:09 p.m.
Para: bindong.shi@gmail.com
CC: ccielab@groupstudy.com
Asunto: RE: relexive ACL

Hi Shi.

A good way to debug what is going on with the ACL is by doing a deny ip any
any log at the end of the access-list

ip access-list extended Incoming
 permit ospf any any
 permit icmp any any port-unreachable
 permit icmp any any time-exceeded
 evaluate temp
 deny ip any any log

ip access-list extended Outgoing
 permit tcp any any reflect temp
 permit udp any any reflect temp
 permit icmp any any reflect temp
 deny ip any any log

For example
I know that I denied, VRRP in the incoming named access-list

*Mar 1 06:09:12.425: %SEC-6-IPACCESSLOGNP: list Incoming denied 112
155.1.162.3 -> 224.0.0.18, 1 packet

Also I've denied BGP in the Incoming Access-list
*Mar 1 06:09:54.795: %SEC-6-IPACCESSLOGP: list Incoming denied tcp
155.1.1.1(179) -> 155.1.4.4(49256), 1 packet

So I must permit BGP and VRRP in the begging from the most specifics in the
Incoming ACL to permit them, if really I need to do that.

Remember that traffic originated by the router would be affected by the
Outgoing Access-list

Please try it in that way and send us the output
Thanks
Victor.-

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de
bindong.shi@gmail.com
Enviado el: Sabado, 05 de Agosto de 2006 08:32 p.m.
Para: ccielab@groupstudy.com
Asunto: relexive ACL

I have 3 routers:
R1(17.17.17.1)----inside-----(17.17.17.7)R2(12.12.12.7)---outside----(12.12.
12.8)R3
I like to implement Ref ACL on R2, only allow TCP , UDP, ICMP and traceroute
initiated from inside network. Here is my configure:
R2:
interface e0
description connect to R3
ip access-group Incoming in
ip access-group Outgoing out

ip access-list extended Outgoing
permit tcp any any reflect temp
permit udp any any reflect temp
permit icmp any any reflect temp
ip access-list extended Incoming
permit eigrp any any
permit icmp any any port-unreachable
permit icmp any any time-exceeded
evaluate temp

Then I realized that I am not able to ping the loopback ip address of R3
(12.12.12.8), according to document, the traffic which was initiated on the
r2 itself will not evaluated, So I added one more command in the access-list
Incoming:
"permit icmp any any echo-reply"
Now I am able to ping the R3, my question is: I can understand from R2
cannot ping R3 without the last command I mentioned, but why I aslo can ping
R3 from R1 only after I added that command. Since traffic from R1 is not
originated from R2 locally.
there is not routing problem, every ip address is reachable.

• Next message: Jian Gu: "Re: igmp snooping"
• Previous message: Victor Cappuccio: "RE: relexive ACL"
• Maybe in reply to: bindong.shi@gmail.com: "relexive ACL"
• Next in thread: secondie: "Re: relexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART