Re: Reflective ACL and NAT/PAT

From: Abu Hamzah (hamzah.abu@gmail.com)
Date: Tue Dec 11 2007 - 08:07:28 ART

• Next message: shiran guez: "Re: Multicast on interface on which hosts is connected"
• Previous message: Salau, Yemi: "RE: query regarding univercd"
• Next in thread: Terry Tender: "Re: Reflective ACL and NAT/PAT"
• Maybe reply: Terry Tender: "Re: Reflective ACL and NAT/PAT"
• Maybe reply: Eric Phillips: "Re: Reflective ACL and NAT/PAT"
• Maybe reply: Abu Hamzah: "Re: Reflective ACL and NAT/PAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi All

I beleive the config for ACL and NAT combined beleive is not the best config
and may be is causing the issues described below.

I think the reflective ACL should be more like the lines shown here below.

Option A:
ip access-list extended INBOUND
evaluate Internet
ip access-list extended OUTBOUND
permit tcp any any reflect Internet
permit udp any any reflect Internet
permit icmp any any reflect Internet

OR

Option B:
 ip access-list extended INBOUND
evaluate Internet
ip access-list extended OUTBOUND
permit tcp 192.168.0.0 0.0.255.255 any reflect Internet
permit tcp 172.19.0.0 0.0.255.255 any reflect Internet
permit udp 192.168.0.0 0.0.255.255 any reflect Internet permit udp
172.19.0.0 0.0.255.255 any reflect Internet
permit icmp 192.168.0.0 0.0.255.255 any reflect Internet permit icmp
172.19.0.0 0.0.255.255 any reflect Internet
As oppose to using the public IP subnet address (77.222.121.56 0.0.0.7) as
the source IPs.

Has any one who's done NAT and Reflective ACL seen issues like this? What is
the best and simple config for the reflective ACL? Would you suggest option
A or B as oppose to using the public/Legal IPs?

Tnx & regards.

Abu Hamzah

On Dec 2, 2007 9:53 AM, Abu Hamzah <hamzah.abu@gmail.com> wrote:

> Thanks for that.
>
> We removed the the INBOUND and OUTBOUD ACL from the exteranl interface,
> and the users report the Yahoo and Hotmail sites to be OK now....
>
> The problem is that the Yahoo and Hotmail access was ONLY giving issues
> sometimes, so this may be c oincidental...we will keep testing to see...
>
> The router was configures by someone else a few months back. I suppose
> they were trying to have some firewalling on this Internet router becuase
> there is no firewall besides this router...
> Can someone suggest a better firewalling configuration option on this
> router to secure the LAN?
>
> Thanks and regards.
>
>
> On Dec 2, 2007 8:10 AM, Donghai Zhang <zdh1207@gmail.com> wrote:
>
> > What's the use of applying self-reflect ACL here? Seems nat itself
> > has prevented access into LAN . Maybe you could omit the INBOUND and
> > OUTBOUD ACL and try it again....
> >
> > 2007/11/30, Terry Tender <terry.tender@gmail.com>:
> > >
> > > You could try to remove the reflective ACL and do NAT with a single IP
> > > address...just to test things out..
> > >
> > > Terry
> > >
> > >
> > >
> > > On 11/29/07, v.shekhar@yahoo.com <v.shekhar@yahoo.com> wrote:
> > > >
> > > > Does this happen when using the new XML or Java based Webmail
> > interface?
> > > > How much internet bandwidth does he have?
> > > > The newer webmails require more bandwidth compared to the old HTML
> > only
> > > > interface.
> > > > I am suspecting a bandwidth issue here.
> > > >
> > > >
> > > > Thanks,
> > > > -sHekHar.
> > > > CCIE#17589/CISSP/RHCE.
> > > >
> > > > ----- Original Message ----
> > > > From: Abu Hamzah <hamzah.abu@gmail.com>
> > > > To: ccielab@groupstudy.com
> > > > Sent: Thursday, November 29, 2007 7:52:52 PM
> > > > Subject: OT: Web Mail Issues
> > > >
> > > >
> > > > Hi there
> > > >
> > > >
> > > >
> > > > A friend is facing some Web mail browsing issues with pretty simple
> > LAN
> > > > setup with Internet router and some switches. Yahoo web mail and
> > > > Hotmail
> > > > give Internet Explorer messages time to time saying "Page not
> > found".
> > > > This
> > > > happens when the emails are being deleted or when attaching docs to
> > > > emails.
> > > > All other website browsing is OK. Sometimes all works fine, so the
> > > > Yahoo/Hotmail issue is very much intermittent.
> > > >
> > > >
> > > >
> > > > The Internet router config is similar to the one below...
> > > >
> > > >
> > > >
> > > > I think the NAT overload may not be configured correctlyAny ideas?
> > > >
> > > >
> > > >
> > > > Regards.
> > > >
> > > >
> > > >
> > > > Abu Hamzah
> > > >
> > > > -----------------------
> > > >
> > > > !
> > > > version 12.4
> > > > !
> > > > boot-start-marker
> > > > boot-end-marker
> > > > !
> > > > no aaa new-model
> > > > no network-clock-participate wic 0
> > > > no network-clock-participate aim 0
> > > > !
> > > > ip cef
> > > > !
> > > > voice-card 0
> > > > no dspfarm
> > > > !
> > > > interface GigabitEthernet0/0
> > > > ip address 192.168.100.146 255.255.255.0
> > > > ip nat inside
> > > > duplex full
> > > > speed 100
> > > > no cdp enable
> > > > !
> > > > interface GigabitEthernet0/1
> > > > ip address 77.222.98.42 255.255.255.252
> > > > ip access-group INBOUND in
> > > > ip access-group OUTBOUND out
> > > > ip nat outside
> > > > no ip mroute-cache
> > > > duplex full
> > > > speed 10
> > > > !
> > > > ip route 0.0.0.0 0.0.0.0 77.222.98.41
> > > > !
> > > > ip http server
> > > > no ip http secure-server
> > > > ip nat pool TEST 77.222.121.57 77.222.121.58 netmask 255.255.255.248
> > > > ip nat inside source list 1 pool TEST overload
> > > > !
> > > > ip access-list extended INBOUND
> > > > evaluate Internet
> > > > ip access-list extended OUTBOUND
> > > > permit tcp 77.222.121.56 0.0.0.7 any reflect Internet
> > > > permit udp 77.222.121.56 0.0.0.7 any reflect Internet
> > > > permit icmp 77.222.121.56 0.0.0.7 any reflect Internet
> > > > !
> > > > access-list 1 permit 192.168.0.0 0.0.255.255
> > > > access-list 1 permit 172.19.0.0 0.0.255.255
> > > >
> > > > !
> > > > control-plane
> > > > !
> > > > line con 0
> > > > line aux 0
> > > > !
> > > > end
> > > >
> > > >
> > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > ____________________________________________________________________________________
> >
> > > > Never miss a thing. Make Yahoo your home page.
> > > > http://www.yahoo.com/r/hs
> > > >
> > > >
> > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: shiran guez: "Re: Multicast on interface on which hosts is connected"
• Previous message: Salau, Yemi: "RE: query regarding univercd"
• Next in thread: Terry Tender: "Re: Reflective ACL and NAT/PAT"
• Maybe reply: Terry Tender: "Re: Reflective ACL and NAT/PAT"
• Maybe reply: Eric Phillips: "Re: Reflective ACL and NAT/PAT"
• Maybe reply: Abu Hamzah: "Re: Reflective ACL and NAT/PAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST