RE: reflexive acl

From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Fri Sep 15 2006 - 18:39:33 ART

• Next message: AllaboutCisco: "IPv6 Global ID - is this right?"
• Previous message: Victor Cappuccio: "RE: IEWB - V1 Lab 14 Task 4.5"
• Maybe in reply to: Joe Clyde: "reflexive acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Joe,

Let me see if I understand you question.

If you need to push traffic out from the router, and also need the Reflexive
ACL to not drop the traffic that you originate from the router, then you
need to set a local policy pointing to any loopback, in that way you make
you traffic Flow Throw through the router, and not to be originated from the
router itself

Say that we have a topology like this: R1 ---- Eth ---- R3

R1 Config#

interface Ethernet0/0
ip address 192.168.0.1 255.255.255.0
ip access-group INACL in
ip access-group OUTACL out
!
ip access-list extended INACL
evaluate MYFW
deny ip any any log !<-- This is not needed, But I like to see the logs from
traffic being denied

ip access-list extended OUTACL
permit ip any any reflect MYFW

R1#telnet 192.168.0.3
Trying 192.168.0.3 ...
% Connection timed out; remote host not responding

R1(config)#int loopback 0
R1(config-if)#ip address 150.1.1.1 255.255.255.0
R1(config-if)#route-map POLITICA:LOCAL
R1(config-route-map)#set interface loopback 0
R1(config-route-map)#ip local policy route-map POLITICA:LOCAL
R1(config)#end

R1#telnet 192.168.0.3
Trying 192.168.0.3... Open

Password required, but none set

[Connection to 192.168.0.3 closed by foreign host]

HTH
Victor.-

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de Joe
Clyde
Enviado el: Jueves, 14 de Septiembre de 2006 08:10 p.m.
Para: ccielab@groupstudy.com
Asunto: reflexive acl

    I've set up a reflexive acl on my router and it appears to be
working for any thing going out the trusted interface unless it is
sourced from the router itself.
R1---->R2----->R4

    Both the acls are on the interface pointing towards R4. I can telnet
or ping to R4 from R1 and that traffic shows up under the reflected acl
like it should, R4 can not telnet or ping back...again like it should.
However when I source a ping or telnet from the loopback, or any other
interface on R2 to R4, I can't get through. I remember something about
how ACLs filter traffic that come through the ports but not sourced from
them...or something like that. Any help on what I'm missing would be
appreciated. Or stated another way, how can I apply a reflexsive acl
that will permit locally sourced address?

R2 config

interface Serial0/0.24 point-to-point
 description to-->r4
 ip address 192.168.24.2 255.255.255.248
 ip access-group notsafe in
 ip access-group safe out
 frame-relay interface-dlci 204

ip access-list extended notsafe
 permit ospf any any
 evaluate me
ip access-list extended safe
 permit ip any any reflect me

• Next message: AllaboutCisco: "IPv6 Global ID - is this right?"
• Previous message: Victor Cappuccio: "RE: IEWB - V1 Lab 14 Task 4.5"
• Maybe in reply to: Joe Clyde: "reflexive acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART