From: Joseph Saad (joseph.samir.saad@gmail.com)
Date: Tue Sep 25 2007 - 16:28:13 ART
Reflexive access-lists don't get triggered with locally generated
router-traffic unless the locally generated traffic is policy routed to seem
to be transiting the router.
There're 2 simple technology labs on IEWB Vol 1, security section showing
the concept.
Cheers,
Joseph.
On 9/25/07, Alex Steer <alex.steer@eison.co.uk> wrote:
>
> Hi
>
>
>
> Just a quick one, Can someone tell me if reflective access-lists effect
> traffic from the local router as normal? I thought they did but
>
>
>
>
>
> ip access-list extended inbound
>
> permit ospf any any
>
> permit icmp any any
>
> evaluate reflect
>
> ip access-list extended outbound
>
> permit icmp any any
>
> permit tcp any any reflect reflect
>
> permit udp any any reflect reflect
>
>
>
> interface Serial0
>
> ip access-group inbound in
>
> ip access-group outbound out
>
>
>
> int fa0
>
> ip address 1.1.1.1 255.255.255.0
>
>
>
>
>
> telnet 150.1.2.2 /sour fa0 fail when the inbound and outbound are
> configured.
>
> Telnets from the switch to 150.1.2.2 on the same subnet using a static
> route pointing to 1.1.1.1 work fine.
>
> Any thoughts please?
>
>
>
> Thanks in advance
>
>
>
> Alex
>
>
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:16 ART