From: sam s (samarth_04@hotmail.com)
Date: Mon Jul 16 2007 - 12:41:04 ART
You need to allow dynamic routing protocols explicitly and other locally
originated traffic (if you need) because reflexive acl's only reflect TRANSIT
traffic.
Best Wishes,
SAMARTH> From: eric_dobyns@yahoo.com> To: yemi.salau@siemens.com;
nelsnjr@cox.net; ccielab@groupstudy.com> Subject: RE: Confused on Reflexive
ACL> Date: Mon, 16 Jul 2007 08:25:02 -0500> > And make sure you allow any
dynamic routing protocols before you put your> "evaluate [reflexive name]"
comment, i.e. permit ospf any any. That one> will getcha.> > -----Original
Message-----> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of> Salau, Yemi> Sent: Monday, July 16, 2007 4:16 AM> To: Bob Nelson;
ccielab@groupstudy.com> Subject: RE: Confused on Reflexive ACL> > Evaluate
command is an integral part of Reflexive ACL, this is what adds> the entry
that points to the reflexive access list. Let me take time to> answer your
questions:> > 1. You have the option to configure Reflexive ACL on either
exterior or> interior interface. If you chose the exterior interface, then you
need 2> pair of ACLs, one allowing traffic to flow from your LAN to the WAN,
the> other ACL to prevent traffic coming in from the WAN except if they are>
part of a session established from the LAN.> So you would need to apply the
extended acls in the outbound and inbound> direction.> > 2. When NAT (outside)
is configured on the external interface, that> would mean that as the traffic
are coming in from the outside interface,> change the source/destination
address (depending on what you configure> anyway); I think Natting occurs
before acl traffic filtering, so it> would make sense that both will
interoperate. Remember that NAT don't> filter, it only changes the
source/destination IP/TCP address of> packets. In this case even if you have
NAT outside configured on the> external interface, ACL will reflect the packet
out of your network, by> this time, the NAT would have completed altering the
IP/TCP address, so> it's only traffic which is reflected that are evaluated to
come in on> return.> > 3. I'm yet to find this part of Cisco Doc that said
evaluate isn't used> by default. Anyway, like I said before evaluate is an
integral part of> Reflexive ACL, you need to be able to add dynamic entry that
points to> the reflexive acl which allows the traffic to come in from the
outside> interface.> > You know what, check this example out from Cisco CCO:->
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hs>
ec_c/part15/schreflx.htm#wp1001198> > Many Thanks> > Yemi Salau> >
-----Original Message-----> From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf Of> Bob Nelson> Sent: Monday, July
16, 2007 3:20 AM> To: ccielab@groupstudy.com> Subject: Confused on Reflexive
ACL> > All:> > I searched through the archives and did not find what I was
looking for.> I> looked through the Cisco documentation and found some
conflicting> information on the same topic. Here are couple of quick
questions:> > 1. On an exterior interface, is the extended applied in the
outbound or> inbound direction? My belief was that if applied in the outbound,
that> would create the entry in the nested ACL and allow return traffic back>
into> the network. Clarify??> > 2. On an external facing interface, with NAT
(outside) configured, will> reflexive ACLs even work?> > 3. Unsure about the
evaluate command. Cisco says the default is not to> use> it, but what does it
do as opposed to the regular reflexive ACL?> > Thanks and regards,> > Bob> >
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART