From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Mon Jul 16 2007 - 11:37:15 ART
related to the 2nd Point is NAT work with Reflexive ACLs with out any
problem.
On 7/16/07, Eric Dobyns <eric_dobyns@yahoo.com> wrote:
>
> And make sure you allow any dynamic routing protocols before you put your
> "evaluate [reflexive name]" comment, i.e. permit ospf any any. That one
> will getcha.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Salau, Yemi
> Sent: Monday, July 16, 2007 4:16 AM
> To: Bob Nelson; ccielab@groupstudy.com
> Subject: RE: Confused on Reflexive ACL
>
> Evaluate command is an integral part of Reflexive ACL, this is what adds
> the entry that points to the reflexive access list. Let me take time to
> answer your questions:
>
> 1. You have the option to configure Reflexive ACL on either exterior or
> interior interface. If you chose the exterior interface, then you need 2
> pair of ACLs, one allowing traffic to flow from your LAN to the WAN, the
> other ACL to prevent traffic coming in from the WAN except if they are
> part of a session established from the LAN.
> So you would need to apply the extended acls in the outbound and inbound
> direction.
>
> 2. When NAT (outside) is configured on the external interface, that
> would mean that as the traffic are coming in from the outside interface,
> change the source/destination address (depending on what you configure
> anyway); I think Natting occurs before acl traffic filtering, so it
> would make sense that both will interoperate. Remember that NAT don't
> filter, it only changes the source/destination IP/TCP address of
> packets. In this case even if you have NAT outside configured on the
> external interface, ACL will reflect the packet out of your network, by
> this time, the NAT would have completed altering the IP/TCP address, so
> it's only traffic which is reflected that are evaluated to come in on
> return.
>
> 3. I'm yet to find this part of Cisco Doc that said evaluate isn't used
> by default. Anyway, like I said before evaluate is an integral part of
> Reflexive ACL, you need to be able to add dynamic entry that points to
> the reflexive acl which allows the traffic to come in from the outside
> interface.
>
> You know what, check this example out from Cisco CCO:-
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hs
> ec_c/part15/schreflx.htm#wp1001198
>
> Many Thanks
>
> Yemi Salau
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Bob Nelson
> Sent: Monday, July 16, 2007 3:20 AM
> To: ccielab@groupstudy.com
> Subject: Confused on Reflexive ACL
>
> All:
>
> I searched through the archives and did not find what I was looking for.
> I
> looked through the Cisco documentation and found some conflicting
> information on the same topic. Here are couple of quick questions:
>
> 1. On an exterior interface, is the extended applied in the outbound or
> inbound direction? My belief was that if applied in the outbound, that
> would create the entry in the nested ACL and allow return traffic back
> into
> the network. Clarify??
>
> 2. On an external facing interface, with NAT (outside) configured, will
> reflexive ACLs even work?
>
> 3. Unsure about the evaluate command. Cisco says the default is not to
> use
> it, but what does it do as opposed to the regular reflexive ACL?
>
> Thanks and regards,
>
> Bob
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Muhammad Nasim Network Engineer SISCOM Saudi Arabia
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART