From: Eric Dobyns (eric_dobyns@yahoo.com)
Date: Mon Jul 16 2007 - 10:25:02 ART
And make sure you allow any dynamic routing protocols before you put your
"evaluate [reflexive name]" comment, i.e. permit ospf any any. That one
will getcha.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Salau, Yemi
Sent: Monday, July 16, 2007 4:16 AM
To: Bob Nelson; ccielab@groupstudy.com
Subject: RE: Confused on Reflexive ACL
Evaluate command is an integral part of Reflexive ACL, this is what adds
the entry that points to the reflexive access list. Let me take time to
answer your questions:
1. You have the option to configure Reflexive ACL on either exterior or
interior interface. If you chose the exterior interface, then you need 2
pair of ACLs, one allowing traffic to flow from your LAN to the WAN, the
other ACL to prevent traffic coming in from the WAN except if they are
part of a session established from the LAN.
So you would need to apply the extended acls in the outbound and inbound
direction.
2. When NAT (outside) is configured on the external interface, that
would mean that as the traffic are coming in from the outside interface,
change the source/destination address (depending on what you configure
anyway); I think Natting occurs before acl traffic filtering, so it
would make sense that both will interoperate. Remember that NAT don't
filter, it only changes the source/destination IP/TCP address of
packets. In this case even if you have NAT outside configured on the
external interface, ACL will reflect the packet out of your network, by
this time, the NAT would have completed altering the IP/TCP address, so
it's only traffic which is reflected that are evaluated to come in on
return.
3. I'm yet to find this part of Cisco Doc that said evaluate isn't used
by default. Anyway, like I said before evaluate is an integral part of
Reflexive ACL, you need to be able to add dynamic entry that points to
the reflexive acl which allows the traffic to come in from the outside
interface.
You know what, check this example out from Cisco CCO:-
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hs
ec_c/part15/schreflx.htm#wp1001198
Many Thanks
Yemi Salau
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Bob Nelson
Sent: Monday, July 16, 2007 3:20 AM
To: ccielab@groupstudy.com
Subject: Confused on Reflexive ACL
All:
I searched through the archives and did not find what I was looking for.
I
looked through the Cisco documentation and found some conflicting
information on the same topic. Here are couple of quick questions:
1. On an exterior interface, is the extended applied in the outbound or
inbound direction? My belief was that if applied in the outbound, that
would create the entry in the nested ACL and allow return traffic back
into
the network. Clarify??
2. On an external facing interface, with NAT (outside) configured, will
reflexive ACLs even work?
3. Unsure about the evaluate command. Cisco says the default is not to
use
it, but what does it do as opposed to the regular reflexive ACL?
Thanks and regards,
Bob
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART