From: Radoslav Vasilev (deckland@gmail.com)
Date: Mon Aug 07 2006 - 19:01:59 ART
Also - are you sure there's no alternative path from R3 to R1 or local to R3
config that could prevent the icmp echo-replies?
Rado
On 8/6/06, bindong.shi@gmail.com <bindong.shi@gmail.com> wrote:
>
> I have 3 routers:
> R1(17.17.17.1)----inside-----(17.17.17.7)R2(12.12.12.7)---outside----(
> 12.12.12.8)R3
> I like to implement Ref ACL on R2, only allow TCP , UDP, ICMP and
> traceroute initiated from inside network. Here is my configure:
> R2:
> interface e0
> description connect to R3
> ip access-group Incoming in
> ip access-group Outgoing out
>
> ip access-list extended Outgoing
> permit tcp any any reflect temp
> permit udp any any reflect temp
> permit icmp any any reflect temp
> ip access-list extended Incoming
> permit eigrp any any
> permit icmp any any port-unreachable
> permit icmp any any time-exceeded
> evaluate temp
>
> Then I realized that I am not able to ping the loopback ip address of R3 (
> 12.12.12.8), according to document, the traffic which was initiated on the
> r2 itself will not evaluated, So I added one more command in the access-list
> Incoming:
> "permit icmp any any echo-reply"
> Now I am able to ping the R3, my question is: I can understand from R2
> cannot ping R3 without the last command I mentioned, but why I aslo can ping
> R3 from R1 only after I added that command. Since traffic from R1 is not
> originated from R2 locally.
> there is not routing problem, every ip address is reachable.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART