From: Joe Clyde (jclyde@uen.org)
Date: Thu Sep 14 2006 - 21:09:36 ART
I've set up a reflexive acl on my router and it appears to be
working for any thing going out the trusted interface unless it is
sourced from the router itself.
R1---->R2----->R4
Both the acls are on the interface pointing towards R4. I can telnet
or ping to R4 from R1 and that traffic shows up under the reflected acl
like it should, R4 can not telnet or ping back...again like it should.
However when I source a ping or telnet from the loopback, or any other
interface on R2 to R4, I can't get through. I remember something about
how ACLs filter traffic that come through the ports but not sourced from
them...or something like that. Any help on what I'm missing would be
appreciated. Or stated another way, how can I apply a reflexsive acl
that will permit locally sourced address?
R2 config
interface Serial0/0.24 point-to-point
description to-->r4
ip address 192.168.24.2 255.255.255.248
ip access-group notsafe in
ip access-group safe out
frame-relay interface-dlci 204
ip access-list extended notsafe
permit ospf any any
evaluate me
ip access-list extended safe
permit ip any any reflect me
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART