From: Benjamin Hill (ibennybravo@gmail.com)
Date: Sat Jun 02 2007 - 13:13:48 ART
Your best bet with access-lists is always to see what is getting blocked.
Start by changing the implicit deny in your INBOUND access-lists to an
explicit deny and log hits to the deny statement i.e.
ip access-list extended INBOUND
evaluate MIRROR
deny ip any any log
More than likely your OSPF is getting blocked because it is generated
locally from the router, and so wont be evaluated by your outgoing
access-list. You can get around this with a local policy-map, but you'd
probably be better off just allowing OSPF into the outside interface i.e.
ip access-list extended INBOUND
permit ospf any any
evaluate MIRROR
deny ip any any log
HTH
Ben
On 6/2/07, premkumar somasundaram <premkumar.somasundaram@gmail.com> wrote:
>
> Group.
> I have a issue with the reflexive access-list. Here is the scenario.... I
> need to configure reflexive access-list on R3 to allow ICMP, TCP, UDP and
> OSPF traffic from inside to outside. The configuration is follows.
>
>
> interface Serial2/3
> ip address 136.1.23.3 255.255.255.0
> ip access-group INBOUND in
> ip access-group OUTBOUND out
> encapsulation ppp
> clock rate 64000
> no dce-terminal-timing-enable
>
>
> ip access-list extended INBOUND
> evaluate MIRROR
> ip access-list extended OUTBOUND
> permit icmp any any reflect MIRROR
> permit tcp any any reflect MIRROR
> permit udp any any reflect MIRROR
> permit ospf any any reflect MIRROR
> !
>
> For testing, I used to ping for ICMP, Telnet for TCP , and Routing
> protocol
> for OSPF.
>
> But none of them worked...I am sure something is missing from the config
> which i could nt find out..can any one help me on this...
>
>
> Thanks
> Prem
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:46 ART