Re:reflexive acl

From: Angelo De Guzman (a.deguzman@wesolv.ph.fujitsu.com)
Date: Fri Sep 15 2006 - 06:49:00 ART

• Next message: Ivan: "Re: How to avoide SPAM attack"
• Previous message: Ivan: "Re: Vlan load balancing over trunks"
• Maybe in reply to: Joe Clyde: "reflexive acl"
• Next in thread: Victor Cappuccio: "RE: reflexive acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Joe,

   If you want to allow R2 to ping ICMP/telnet. You must allow it inbound in
your ACL (notsafe). The reason behind is that your outbound ACL for R2 does not
process locally originated traffic. Hence no dynamic ACL are created. While
ICMP/and Telnet from R1 works is because the outbound safe ACL was processed.

   In your set-up also. If you want ping and telnet to come into your network
(your safe network did not originate them) you must allow it inbound as well.

HTH
Angelo

Joe Clyde (9/15/06 8:09 AM):
>
> I've set up a reflexive acl on my router and it appears to be
>working for any thing going out the trusted interface unless it is
>sourced from the router itself.
>R1---->R2----->R4
>
> Both the acls are on the interface pointing towards R4. I can telnet
>or ping to R4 from R1 and that traffic shows up under the reflected acl
>like it should, R4 can not telnet or ping back...again like it should.
>However when I source a ping or telnet from the loopback, or any other
>interface on R2 to R4, I can't get through. I remember something about
>how ACLs filter traffic that come through the ports but not sourced from
>them...or something like that. Any help on what I'm missing would be
>appreciated. Or stated another way, how can I apply a reflexsive acl
>that will permit locally sourced address?
>
>R2 config
>
>interface Serial0/0.24 point-to-point
> description to-->r4
> ip address 192.168.24.2 255.255.255.248
> ip access-group notsafe in
> ip access-group safe out
> frame-relay interface-dlci 204
>
>ip access-list extended notsafe
> permit ospf any any
> evaluate me
>ip access-list extended safe
> permit ip any any reflect me
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>***********************
>No virus was detected in the attachment no filename
>
>Your mail has been scanned by InterScan MSS.
>***********-***********
>

***********************
No virus was detected in the attachment no filename

Your mail has been scanned by InterScan MSS.
***********-***********

• Next message: Ivan: "Re: How to avoide SPAM attack"
• Previous message: Ivan: "Re: Vlan load balancing over trunks"
• Maybe in reply to: Joe Clyde: "reflexive acl"
• Next in thread: Victor Cappuccio: "RE: reflexive acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART