From: Udo (ccie_groupstudy@yahoo.de)
Date: Thu Nov 09 2006 - 05:26:23 ART
Hi ,
one of the policy is no to ping from the outside world (R7) to R5 or R2
But I should allow ping from inside my network R2/R5 - > ping R7
So when I configure INBOUND permit icmp any any then all can ping in my
local network
any help ?
Udo
> Cause ICMP ping from your R5, so icmp don't match OUTBOUND ACL, when icmp
> reply from R7 it match INBOUND ACL that deny icmp!
> You should try to ping from R2 or change INBOUND ACL:
>
> ip access-list extended INBOUND
> permit icmp any any
> evaluate REFLECT
>
> hope this work!
>
> HaDucBinh
> Mail: haducbinh@vnpro.org or haducbinh@gmail.com
> Phone: +84 908 191 322
> ---------------------------------------------------------------------------
> Vietnamese Professionals (VnPro)
> Cisco Authorised Training
> 149/1D Ung Van Khiem Street, Ward 25, Binh Thanh District, Ho Chi Minh City
> Tel: (08) 5124257 - (08) 5125314
> Fax: (08) 5124314
> Website: http://vnpro.vn
> Support Forum: http://vnpro.org
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Udo
> Sent: Thursday, November 09, 2006 1:50 PM
> To: Michael Zuo
> Cc: Jian Gu; Hafizur Rahman (Europe); ccielab@groupstudy.com
> Subject: RE: local policy route-map not working for me
>
> Hi GS,
>
> I'm working with reflexive access-lists
> Right now local generated icmp traffic doesn't work with the access-list
> This is the topology
> R2-s2/0--------------s2/0.25-R5-f1/0----------------f1/0-R7
>
>
> This is my configuration:
> ======================================================================
> R5:
> interface FastEthernet1/0
> desc to Router R7
> ip address 192.168.4.5 255.255.255.0
> ip access-group INBOUND in
> ip access-group OUTBOUND out
> duplex half
>
>
>
> ip local policy route-map LOCAL
>
>
> ip access-list extended INBOUND
> evaluate REFLECT
> ip access-list extended OUTBOUND
> permit tcp any any reflect REFLECT
> permit udp any any reflect REFLECT
> permit icmp any any reflect REFLECT
>
>
> route-map LOCAL permit 10
> match ip address LOCAL_ICMP_TRAFFIC
> set interface FastEthernet1/0
>
>
> ip access-list extended LOCAL_ICMP_TRAFFIC
> permit icmp any any
>
>
>
> I configure
> ip local policy TEST
>
> route-map TEST
> match ip address Local
> set interface Loopback 0
>
> When I ping from R5 to R7 I debug the following
> ====================================0
>
> Nov 9 07:48:24.351: %SEC-6-IPACCESSLOGDP: list 197 permitted icmp
> 192.168.4.7 -> 192.168.4.5 (0/0), 1 packet
> Nov 9 07:48:24.355: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
> len 100, access denied
> Nov 9 07:48:24.359: ICMP type=0, code=0.
> Nov 9 07:48:26.315: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
> len 100, access denied
> Nov 9 07:48:26.319: ICMP type=0, code=0.
> Nov 9 07:48:28.319: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
> len 100, access denied
> Nov 9 07:48:28.323: ICMP type=0, code=0.
> Nov 9 07:48:30.319: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
> len 100, access denied
> Nov 9 07:48:30.323: ICMP type=0, code=0.
> Nov 9 07:48:32.379: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
> len 100, access denied
> Nov 9 07:48:32.383: ICMP type=0, code=0.
> ===================================================================
> I get an answer from R7 but the traffic is denied..
>
> Any help for me ?
>
> Udo
>
>
>
>
>
>
>
>
>
>
>
>
>
> Am Mittwoch, den 08.11.2006, 16:06 -0800 schrieb Michael Zuo:
> > Thanks for the reply. Jian, you mentioned that my original prefix-list
> > was not correct (ip prefix-list 10 seq 5 permit 142.1.0.0/24). I
> > thought I was supposed to match the destination IP subnet with the
> > prefix-list? It should've matched the source of the trace packets?
> >
> >
> >
> > thanks
> >
> >
> >
> > ________________________________
> >
> > From: Jian Gu [mailto:guxiaojian@gmail.com]
> > Sent: Wednesday, November 08, 2006 10:07 AM
> > To: Michael Zuo
> > Cc: Hafizur Rahman (Europe); ccielab@groupstudy.com
> > Subject: Re: local policy route-map not working for me
> >
> >
> >
> > Small correction, for traceroute you do need to match UDP, your
> > configuration works with ping.
> >
> > On 11/8/06, Jian Gu < guxiaojian@gmail.com <mailto:guxiaojian@gmail.com>
> > > wrote:
> >
> > This configuration should work (and it works in my setup), the reason
> > your original configuration did not work is not because it is a prefix
> > list, it is because your prefix list was not configured correctly. When
> > Cisco IOS router does a ping it will consult its unicast routing table
> > and use the IP address of outgoing interface's IP address as Ping
> > packet's source IP address.
> >
> >
> >
> > On 11/7/06, Michael Zuo < mzuo@ixiacom.com <mailto:mzuo@ixiacom.com> >
> > wrote:
> >
> > Still does not work, I change the configuration to:
> >
> > ip access-list extended PING
> > permit icmp any host 142.1.0.4
> > !
> > route-map PING permit 10
> > match ip address PING
> > set ip next-hop 142.1.46.4
> >
> > still:
> >
> >
> > R6(config-ext-nacl)#do trace 142.1.0.4
> >
> > Type escape sequence to abort.
> > Tracing the route to 142.1.0.4
> >
> > 1 204.12.1.3 4 msec 0 msec 4 msec
> > 2 142.1.0.4 32 msec * 28 msec
> >
> > Any ideas on how I can debug?
> >
> > Thanks...
> >
> > -----Original Message-----
> > From: Hafizur Rahman (Europe) [mailto:hafizur.rahman@uk.didata.com]
> > Sent: Monday, November 06, 2006 11:37 PM
> > To: Michael Zuo; ccielab@groupstudy.com
> > Subject: RE: local policy route-map not working for me
> >
> > Hi Michael
> >
> > Try using extended ACl instead of prefix list
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Michael Zuo
> > Sent: 07 November 2006 07:09
> > To: ccielab@groupstudy.com
> > Subject: local policy route-map not working for me
> >
> > Hi All,
> >
> >
> >
> > I am having a problem with my local policy routing and can not figure
> > out why it is not working:
> >
> >
> >
> > Topology:
> >
> > =======
> >
> > R3, R4 and R6 forms a triangle
> >
> >
> >
> > Networks:
> >
> > =======
> >
> > Between R3, R4: 142.1.34.0/24
> >
> > Between R3, R6: 204.12.1.0/24
> >
> > Between R4, R6: 142.1.46.0/24
> >
> >
> >
> > R4 also have IP address 142.1.0.4
> >
> >
> >
> > OSPF is configured in a way that ping from R6 to 142.1.0.4 would go thru
> > R3 first (R3 touches area 0)
> >
> >
> >
> > I am trying to use policy routing to route ICMP from R6 directly over
> > the connection between R4 and R6 which is not in OSPF
> >
> >
> >
> > Configuration
> >
> > =======
> >
> >
> >
> > R6:
> >
> >
> >
> > router ospf 1
> >
> > log-adjacency-changes
> >
> > network 54.1.3.6 0.0.0.0 area 3
> >
> > network 204.12.1.6 0.0.0.0 area 3
> >
> >
> >
> > ip local policy route-map PING
> >
> > !
> >
> >
> >
> > ip prefix-list 10 seq 5 permit 142.1.0.0/24
> >
> > !
> >
> > !
> >
> > route-map PING permit 10
> >
> > match ip address prefix-list 10
> >
> > set ip next-hop 142.1.46.4
> >
> >
> >
> > Result
> >
> > =====
> >
> >
> >
> > R6(config)#do trace 142.1.0.4
> >
> >
> >
> > Type escape sequence to abort.
> >
> > Tracing the route to 142.1.0.4
> >
> >
> >
> > 1 204.12.1.3 0 msec 0 msec 4 msec
> >
> > 2 142.1.0.4 28 msec * 28 msec
> >
> > R6(config)#
> >
> >
> >
> > R6#sh ip loc pol
> >
> > Local policy routing is enabled, using route map PING
> >
> > route-map PING, permit, sequence 10
> >
> > Match clauses:
> >
> > ip address prefix-lists: 10
> >
> > Set clauses:
> >
> > ip next-hop 142.1.46.4
> >
> > Policy routing matches: 5 packets, 320 bytes
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Which means R6 still go thru R3 first before getting to R4!! Also, the
> > packet count in "sh ip loc pol" does not increase
> >
> >
> >
> >
> >
> > Am I missing something obvious? How do I debug further?
> >
> >
> >
> >
> >
> >
> >
> > Thanks a bunch!!
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > -----------------------------------------
> > Dimension Data - providing global IP based solutions and services
> > for over 20 years supported locally from a single point of contact.
> >
> > This email is confidential. If you are not the intended recipient
> > then you must not copy it, forward it, use it for any purpose, or
> > disclose it to another person.
> >
> > Please also note that the author of this email is not authorised
> > to; make any offers capable of acceptance unless expressly stated
> > in a validly dated and attached document which shall be subject to
> > the terms and conditions stated therein or, conclude any contract
> > on behalf of Dimension Data by email.
> >
> > Although Dimension Data has taken reasonable precautions to ensure
> > no viruses are present in this email, the company cannot accept
> > responsibility for any loss or damage arising from the use of this
> > email or attachments.
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
> ___________________________________________________________
> Der fr|he Vogel fdngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail:
> http://mail.yahoo.de
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART