From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Thu Nov 23 2006 - 04:19:34 ART
Actually, all you need is
"permit icmp any any echo reflect REFIN"
Also, while DocCD claims that ICMP type codes are used to create
reflected entries, I never had observed this fact, at least with 12.2T :)
<DocCD>
(This entry characteristic applies only for TCP and UDP packets. Other
protocols, such as ICMP and IGMP, do not have port numbers, and other
criteria are specified. For example, for ICMP, type numbers are used
instead.)
</DocCD>
A reflected entry is just a basic "permit icmp host x.x.x.x host y.y.y.y"
Here is a sample show output:
R2#show ip access-lists
Extended IP access list INBOUND
10 permit icmp any any echo reflect MIRROR
20 permit ip any any (105 matches)
Reflexive IP access list MIRROR
permit icmp host 155.1.0.254 host 155.1.123.3 (27 matches) (time left
298)
permit icmp host 155.1.123.2 host 155.1.123.3 (9 matches) (time left
213)
2006/11/23, Kal Han <calikali2006@gmail.com>:
>
> Hi
> Given that the icmp echo and echo-reply are of different types/codes
> will adding a reflexive acl for icmp permit return traffic ?
>
> example:
>
> Extended IP access list *inbound
> * 1 permit icmp any any echo reflect refin
> 2 permit icmp any any echo-reply reflect refin
>
> Extended IP access list *outbound
> * 1 eval refin
>
> with these access-lists applied on one interface,
> will I be able to ping from outside to inside ?
>
> Thanks
> Kal
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART