From: Terry Tender (terry.tender@gmail.com)
Date: Thu Dec 13 2007 - 04:49:05 ART
The reflective ACL I've seen use format like:
permit <protocol> any any reflect ABC
and do not specify the exact source and destination IPs.
Of course the ACL could be made more narrow by puting at least the source
address because that is always the internal LANs IPs. However, what is shown
here in the config below under the Reflective ACL is that the source IP is
the legal/public IP of this network. Would this work? Becuase the router is
NATting the reserved IPs to the legal/public IPs, so why mention the legal
IP? Why not use the reserved IPs, 172...and 192...?
Another quesiton is, is the NATing hapening BEFORE the reflective ACL
application or AFTER? Can anyone comment on this?
Terry
On Dec 11, 2007 3:07 PM, Abu Hamzah <hamzah.abu@gmail.com> wrote:
> Hi All
>
> I beleive the config for ACL and NAT combined beleive is not the best
> config
> and may be is causing the issues described below.
>
> I think the reflective ACL should be more like the lines shown here below.
>
> Option A:
> ip access-list extended INBOUND
> evaluate Internet
> ip access-list extended OUTBOUND
> permit tcp any any reflect Internet
> permit udp any any reflect Internet
> permit icmp any any reflect Internet
>
> OR
>
> Option B:
> ip access-list extended INBOUND
> evaluate Internet
> ip access-list extended OUTBOUND
> permit tcp 192.168.0.0 0.0.255.255 any reflect Internet
> permit tcp 172.19.0.0 0.0.255.255 any reflect Internet
> permit udp 192.168.0.0 0.0.255.255 any reflect Internet permit udp
> 172.19.0.0 0.0.255.255 any reflect Internet
> permit icmp 192.168.0.0 0.0.255.255 any reflect Internet permit icmp
> 172.19.0.0 0.0.255.255 any reflect Internet
> As oppose to using the public IP subnet address (77.222.121.56 0.0.0.7) as
> the source IPs.
>
> Has any one who's done NAT and Reflective ACL seen issues like this? What
> is
> the best and simple config for the reflective ACL? Would you suggest
> option
> A or B as oppose to using the public/Legal IPs?
>
> Tnx & regards.
>
> Abu Hamzah
>
>
>
>
> On Dec 2, 2007 9:53 AM, Abu Hamzah <hamzah.abu@gmail.com> wrote:
>
> > Thanks for that.
> >
> > We removed the the INBOUND and OUTBOUD ACL from the exteranl interface,
> > and the users report the Yahoo and Hotmail sites to be OK now....
> >
> > The problem is that the Yahoo and Hotmail access was ONLY giving issues
> > sometimes, so this may be c oincidental...we will keep testing to see...
> >
> > The router was configures by someone else a few months back. I suppose
> > they were trying to have some firewalling on this Internet router
> becuase
> > there is no firewall besides this router...
> > Can someone suggest a better firewalling configuration option on this
> > router to secure the LAN?
> >
> > Thanks and regards.
> >
> >
> > On Dec 2, 2007 8:10 AM, Donghai Zhang <zdh1207@gmail.com> wrote:
> >
> > > What's the use of applying self-reflect ACL here? Seems nat itself
> > > has prevented access into LAN . Maybe you could omit the INBOUND and
> > > OUTBOUD ACL and try it again....
> > >
> > > 2007/11/30, Terry Tender <terry.tender@gmail.com>:
> > > >
> > > > You could try to remove the reflective ACL and do NAT with a single
> IP
> > > > address...just to test things out..
> > > >
> > > > Terry
> > > >
> > > >
> > > >
> > > > On 11/29/07, v.shekhar@yahoo.com <v.shekhar@yahoo.com> wrote:
> > > > >
> > > > > Does this happen when using the new XML or Java based Webmail
> > > interface?
> > > > > How much internet bandwidth does he have?
> > > > > The newer webmails require more bandwidth compared to the old HTML
> > > only
> > > > > interface.
> > > > > I am suspecting a bandwidth issue here.
> > > > >
> > > > >
> > > > > Thanks,
> > > > > -sHekHar.
> > > > > CCIE#17589/CISSP/RHCE.
> > > > >
> > > > > ----- Original Message ----
> > > > > From: Abu Hamzah <hamzah.abu@gmail.com>
> > > > > To: ccielab@groupstudy.com
> > > > > Sent: Thursday, November 29, 2007 7:52:52 PM
> > > > > Subject: OT: Web Mail Issues
> > > > >
> > > > >
> > > > > Hi there
> > > > >
> > > > >
> > > > >
> > > > > A friend is facing some Web mail browsing issues with pretty
> simple
> > > LAN
> > > > > setup with Internet router and some switches. Yahoo web mail and
> > > > > Hotmail
> > > > > give Internet Explorer messages time to time saying "Page not
> > > found".
> > > > > This
> > > > > happens when the emails are being deleted or when attaching docs
> to
> > > > > emails.
> > > > > All other website browsing is OK. Sometimes all works fine, so the
> > > > > Yahoo/Hotmail issue is very much intermittent.
> > > > >
> > > > >
> > > > >
> > > > > The Internet router config is similar to the one below...
> > > > >
> > > > >
> > > > >
> > > > > I think the NAT overload may not be configured correctlyAny ideas?
> > > > >
> > > > >
> > > > >
> > > > > Regards.
> > > > >
> > > > >
> > > > >
> > > > > Abu Hamzah
> > > > >
> > > > > -----------------------
> > > > >
> > > > > !
> > > > > version 12.4
> > > > > !
> > > > > boot-start-marker
> > > > > boot-end-marker
> > > > > !
> > > > > no aaa new-model
> > > > > no network-clock-participate wic 0
> > > > > no network-clock-participate aim 0
> > > > > !
> > > > > ip cef
> > > > > !
> > > > > voice-card 0
> > > > > no dspfarm
> > > > > !
> > > > > interface GigabitEthernet0/0
> > > > > ip address 192.168.100.146 255.255.255.0
> > > > > ip nat inside
> > > > > duplex full
> > > > > speed 100
> > > > > no cdp enable
> > > > > !
> > > > > interface GigabitEthernet0/1
> > > > > ip address 77.222.98.42 255.255.255.252
> > > > > ip access-group INBOUND in
> > > > > ip access-group OUTBOUND out
> > > > > ip nat outside
> > > > > no ip mroute-cache
> > > > > duplex full
> > > > > speed 10
> > > > > !
> > > > > ip route 0.0.0.0 0.0.0.0 77.222.98.41
> > > > > !
> > > > > ip http server
> > > > > no ip http secure-server
> > > > > ip nat pool TEST 77.222.121.57 77.222.121.58 netmask
> 255.255.255.248
> > > > > ip nat inside source list 1 pool TEST overload
> > > > > !
> > > > > ip access-list extended INBOUND
> > > > > evaluate Internet
> > > > > ip access-list extended OUTBOUND
> > > > > permit tcp 77.222.121.56 0.0.0.7 any reflect Internet
> > > > > permit udp 77.222.121.56 0.0.0.7 any reflect Internet
> > > > > permit icmp 77.222.121.56 0.0.0.7 any reflect Internet
> > > > > !
> > > > > access-list 1 permit 192.168.0.0 0.0.255.255
> > > > > access-list 1 permit 172.19.0.0 0.0.255.255
> > > > >
> > > > > !
> > > > > control-plane
> > > > > !
> > > > > line con 0
> > > > > line aux 0
> > > > > !
> > > > > end
> > > > >
> > > > >
> > >
> _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> ____________________________________________________________________________________
> > >
> > > > > Never miss a thing. Make Yahoo your home page.
> > > > > http://www.yahoo.com/r/hs
> > > > >
> > > > >
> > >
> _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:30 ARST