From: Angelo De Guzman (a.deguzman@wesolv.ph.fujitsu.com)
Date: Fri Sep 15 2006 - 23:19:00 ART
Hi Joe,
I agree with Victor if this is your purpose. Is this what you want to
achieve? Also with Victor's idea I would be a little careful on my route map
definition. Using the policy below just made my OSPF neighbor relation dead
(these are other interface connected to the router where you applied the
policy).
Just my thoughts.
Victor Cappuccio (9/16/06 5:39 AM):
>
>Hi Joe,
>
>Let me see if I understand you question.
>
>If you need to push traffic out from the router, and also need the Reflexive
>ACL to not drop the traffic that you originate from the router, then you
>need to set a local policy pointing to any loopback, in that way you make
>you traffic Flow Throw through the router, and not to be originated from the
>router itself
>
>Say that we have a topology like this: R1 ---- Eth ---- R3
>
>R1 Config#
>
>interface Ethernet0/0
>ip address 192.168.0.1 255.255.255.0
>ip access-group INACL in
>ip access-group OUTACL out
>!
>ip access-list extended INACL
>evaluate MYFW
>deny ip any any log !<-- This is not needed, But I like to see the logs from
>traffic being denied
>
>ip access-list extended OUTACL
>permit ip any any reflect MYFW
>
>
>R1#telnet 192.168.0.3
>Trying 192.168.0.3 ...
>% Connection timed out; remote host not responding
>
>R1(config)#int loopback 0
>R1(config-if)#ip address 150.1.1.1 255.255.255.0
>R1(config-if)#route-map POLITICA:LOCAL
>R1(config-route-map)#set interface loopback 0
>R1(config-route-map)#ip local policy route-map POLITICA:LOCAL
>R1(config)#end
>
>R1#telnet 192.168.0.3
>Trying 192.168.0.3... Open
>
>Password required, but none set
>
>[Connection to 192.168.0.3 closed by foreign host]
>
>HTH
>Victor.-
>
>-----Mensaje original-----
>De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de Joe
>Clyde
>Enviado el: Jueves, 14 de Septiembre de 2006 08:10 p.m.
>Para: ccielab@groupstudy.com
>Asunto: reflexive acl
>
> I've set up a reflexive acl on my router and it appears to be
>working for any thing going out the trusted interface unless it is
>sourced from the router itself.
>R1---->R2----->R4
>
> Both the acls are on the interface pointing towards R4. I can telnet
>or ping to R4 from R1 and that traffic shows up under the reflected acl
>like it should, R4 can not telnet or ping back...again like it should.
>However when I source a ping or telnet from the loopback, or any other
>interface on R2 to R4, I can't get through. I remember something about
>how ACLs filter traffic that come through the ports but not sourced from
>them...or something like that. Any help on what I'm missing would be
>appreciated. Or stated another way, how can I apply a reflexsive acl
>that will permit locally sourced address?
>
>R2 config
>
>interface Serial0/0.24 point-to-point
> description to-->r4
> ip address 192.168.24.2 255.255.255.248
> ip access-group notsafe in
> ip access-group safe out
> frame-relay interface-dlci 204
>
>ip access-list extended notsafe
> permit ospf any any
> evaluate me
>ip access-list extended safe
> permit ip any any reflect me
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>***********************
>No virus was detected in the attachment no filename
>
>Your mail has been scanned by InterScan MSS.
>***********-***********
>
***********************
No virus was detected in the attachment no filename
Your mail has been scanned by InterScan MSS.
***********-***********
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART