Re: Reflexive ACLs

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Wed Sep 12 2007 - 02:34:34 ART

• Next message: Brian Dennis: "Re: my beautiful number #18812"
• Previous message: Akhtar Rasool: "Fwd: LSA-Type 7 to LSA Type-5 Conversion"
• Maybe in reply to: Japson Jacob (jjacobj): "Reflexive ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here is a good starting point to troubleshoot this:

1) There are no hits on the "inter" ACL line 20. The telnet packets
should be generating these hits.
2) You should also be seeing a "Reflexive IP access list r1" entry from
the "show ip access-list" command.

So try removing both ACLs and then telnet from C to A. Verify that you
can telnet first before configuring the reflexive ACL.

HTH,

Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

>----- Original Message -----
Subject: Reflexive ACLs
Date: Tue, September 11, 2007 20:17
From: "Japson Jacob (jjacobj)" <jjacobj@cisco.com>

> hello experts,
> I am trying to configure Reflexive ACLs.. Got some Doubts...
>
> Node A ------------- Node B ------------------ Node C.
>
> IP Address : between Node A - B === 1.X.X.X
> IP Address : between Node B - C === 2.X.X.X
>
> I consider node B as my boundary Router. and Node C is internal Network
> and Node A is Internet
> Applying ACLs on the on interface connecting Node A and Node B.
>
> The ACLs are as follow.
> ==================
>
> ========================================================================
> ======
> IOS Version : 12.3
>
> Router-3825#sh access-lists inter
> Extended IP access list inter
> 10 permit eigrp any any
> 20 permit tcp any any reflect r1
> Router-3825#
> Router-3825#
> Router-3825#sh access-lists exter
> Extended IP access list exter
> 10 permit eigrp any any (441 matches)
> 20 evaluate r1
>
> Router-3825#sh run int g0/1
> Building configuration...
> Current configuration : 212 bytes
> !
> interface GigabitEthernet0/1 ---------> interface in Node B
> connecting Node A.
> ip address 1.1.1.1 255.0.0.0
> ip access-group exter in
> ip access-group inter out
> duplex auto
> speed auto
> media-type rj45
> ipv6 address 2001:2::10/64
> ipv6 enable
> ipv6 nat
> end
>
> ========================================================================
> =======
>
>
> Now, when I try to telnet from Node C to Node A , I could not connect.
> could not find out a reason why ?
> some light on this will be very helpful
>
>
> Thanks in advance.
> Japson Jacob
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Brian Dennis: "Re: my beautiful number #18812"
• Previous message: Akhtar Rasool: "Fwd: LSA-Type 7 to LSA Type-5 Conversion"
• Maybe in reply to: Japson Jacob (jjacobj): "Reflexive ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:11 ART