RE: Confused on Reflexive ACL

From: Salau, Yemi (yemi.salau@siemens.com)
Date: Mon Jul 16 2007 - 12:03:54 ART

My gear is currently not online to prove this to you guys (sh ip nat
translations/sh access-list etc.), but you know what, I'm sure NAT works
well with Reflexive ACLs.

Check this out:---------

!
hostname Cisco1721
!
ip subnet-zero
!
ip routing
!
ip cef
!
ip access-list extend NATpool1
permit ip 192.168.255.0 0.0.0.255 any
!
ip access-list internet-in
permit icmp any any unreachable
permit icmp any any echo-reply
deny icmp any any
evaluate tcptraffic
!
ip acesss-list internet-out
permit tcp any any reflect tcptraffic
!
interface FastEthernet0
ip address 192.168.255.1 255.255.255.0
no ip route-cache
speed auto
no full-duplex
ip nat inside
!
interface Serial0
ip address 10.128.128.1 255.255.255.252
service-module t1 timeslots 1-24
ip nat outside
no cdp enable
fair-queue
ip access-group internet-in in
ip access-group internet-out out
!
ip route 0.0.0.0 0.0.0.0 10.128.128.2
!
ip nat pool outside1 10.0.0.10
!
ip nat inside source list Natpool1 overload
!
ip dhcp excluded-address 192.168.255.2 192.168.255.100
!
ip dhcp pool 0
network 192.168.255.0 255.255.255.0
dns-server xxx.xxx.xxx.xx
default-router 192.168.255.1
domain-name yourdomain
!

 
Many Thanks
 
Yemi Salau

 

________________________________

From: Muhammad Nasim [mailto:muhammad.nasim@gmail.com]
Sent: Monday, July 16, 2007 3:37 PM
To: Eric Dobyns
Cc: Salau, Yemi; Bob Nelson; ccielab@groupstudy.com
Subject: Re: Confused on Reflexive ACL

related to the 2nd Point is NAT work with Reflexive ACLs with out any
problem.

On 7/16/07, Eric Dobyns <eric_dobyns@yahoo.com
<mailto:eric_dobyns@yahoo.com> > wrote:

        And make sure you allow any dynamic routing protocols before you
put your
        "evaluate [reflexive name]" comment, i.e. permit ospf any any.
That one
        will getcha.
        
        -----Original Message-----
        From: nobody@groupstudy.com [mailto: nobody@groupstudy.com
<mailto:nobody@groupstudy.com> ] On Behalf Of
        Salau, Yemi
        Sent: Monday, July 16, 2007 4:16 AM
        To: Bob Nelson; ccielab@groupstudy.com
        Subject: RE: Confused on Reflexive ACL
        
        Evaluate command is an integral part of Reflexive ACL, this is
what adds
        the entry that points to the reflexive access list. Let me take
time to
        answer your questions:
        
        1. You have the option to configure Reflexive ACL on either
exterior or
        interior interface. If you chose the exterior interface, then
you need 2
        pair of ACLs, one allowing traffic to flow from your LAN to the
WAN, the
        other ACL to prevent traffic coming in from the WAN except if
they are
        part of a session established from the LAN.
        So you would need to apply the extended acls in the outbound and
inbound
        direction.
        
        2. When NAT (outside) is configured on the external interface,
that
        would mean that as the traffic are coming in from the outside
interface,
        change the source/destination address (depending on what you
configure
        anyway); I think Natting occurs before acl traffic filtering, so
it
        would make sense that both will interoperate. Remember that NAT
don't
        filter, it only changes the source/destination IP/TCP address of
        packets. In this case even if you have NAT outside configured on
the
        external interface, ACL will reflect the packet out of your
network, by
        this time, the NAT would have completed altering the IP/TCP
address, so
        it's only traffic which is reflected that are evaluated to come
in on
        return.
        
        3. I'm yet to find this part of Cisco Doc that said evaluate
isn't used
        by default. Anyway, like I said before evaluate is an integral
part of
        Reflexive ACL, you need to be able to add dynamic entry that
points to
        the reflexive acl which allows the traffic to come in from the
outside
        interface.
        
        You know what, check this example out from Cisco CCO:-
        
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hs
        ec_c/part15/schreflx.htm#wp1001198
        
        Many Thanks
        
        Yemi Salau
        
        -----Original Message-----
        From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
        Bob Nelson
        Sent: Monday, July 16, 2007 3:20 AM
        To: ccielab@groupstudy.com
        Subject: Confused on Reflexive ACL
        
        All:
        
        I searched through the archives and did not find what I was
looking for.
        I
        looked through the Cisco documentation and found some
conflicting
        information on the same topic. Here are couple of quick
questions:
        
        1. On an exterior interface, is the extended applied in the
outbound or
        inbound direction? My belief was that if applied in the
outbound, that
        would create the entry in the nested ACL and allow return
traffic back
        into
        the network. Clarify??
        
        2. On an external facing interface, with NAT (outside)
configured, will
        reflexive ACLs even work?
        
        3. Unsure about the evaluate command. Cisco says the default
is not to
        use
        it, but what does it do as opposed to the regular reflexive ACL?
        
        Thanks and regards,
        
        Bob
        
        

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART