From: Abu Hamzah (hamzah.abu@gmail.com)
Date: Mon Dec 24 2007 - 11:50:24 ART
Hi there
We are testing by modifing the timer:
*ip reflexive-list timeout* <>
The timer was set to 120 secs. We changed it to 300 Secs. It "seemed" to
have rectified the intermittent Internet email issues. We are still testing,
and wonder if someone else has seen this timer cause issues?
Thanks and regards.
Abu Hamzah
On 12/13/07, Eric Phillips <eric@phillips.tc> wrote:
>
> Terry,
>
> Reflexive ACLs will use whatever IP it "sees." By that I mean if you had
> an
> inbound ACL on the inside interface, that would be before NAT has changed
> the IP address because NAT does not know which interface it is going out
> of. So putting the reflect there would not be helpful, because the
> resulting temporary ACL entries might look like this, assuming 65.1.1.1 is
> a
> web server:
>
> permit tcp host 65.1.1.1 eq 80 host 192.168.1.1 eq 18322
>
> That would not work since the actual traffic is likely something like this
> (assuming 64.1.1.1 is the outside IP of your router):
> permit tcp host 65.1.1.1 eq 80 host 64.1.1.1 eq 18322
>
> Now if you put the reflect on an outbound ACL on the outside interface,
> then
> NAT would have already changed the IP address and the temporary ACL will
> be
> correct.
>
> I think of the router like an onion. The center of the onion is the
> router,
> next out is the interfaces, next out is NAT, next out is the ACLs. So
> going
> into the onion, ACLs wil apply before NAT, coming out of the onion, NAT
> will
> apply before ACLs.
>
> Hope that helps!
>
>
> --
>
> Eric M. Phillips
>
> Senior Network Consultant
>
>
>
> *LTI Information Technology
> *http://www.ltiit.com<
> http://mail.google.com/exchweb/bin/redir.asp?URL=http://www.ltiit.com/>
>
> 501 Avis Drive
>
> Ann Arbor, MI 48108
>
>
>
> Phone: (734) 929-1400 Fax: (734) 929-1401
>
>
>
> On 12/13/07, Terry Tender <terry.tender@gmail.com> wrote:
> >
> > The reflective ACL I've seen use format like:
> >
> > permit <protocol> any any reflect ABC
> >
> > and do not specify the exact source and destination IPs.
> >
> > Of course the ACL could be made more narrow by puting at least the
> source
> > address because that is always the internal LANs IPs. However, what is
> > shown
> > here in the config below under the Reflective ACL is that the source IP
> is
> > the legal/public IP of this network. Would this work? Becuase the router
> > is
> > NATting the reserved IPs to the legal/public IPs, so why mention the
> legal
> > IP? Why not use the reserved IPs, 172...and 192...?
> >
> > Another quesiton is, is the NATing hapening BEFORE the reflective ACL
> > application or AFTER? Can anyone comment on this?
> >
> > Terry
> >
> >
> > On Dec 11, 2007 3:07 PM, Abu Hamzah <hamzah.abu@gmail.com> wrote:
> >
> > > Hi All
> > >
> > > I beleive the config for ACL and NAT combined beleive is not the best
> > > config
> > > and may be is causing the issues described below.
> > >
> > > I think the reflective ACL should be more like the lines shown here
> > below.
> > >
> > > Option A:
> > > ip access-list extended INBOUND
> > > evaluate Internet
> > > ip access-list extended OUTBOUND
> > > permit tcp any any reflect Internet
> > > permit udp any any reflect Internet
> > > permit icmp any any reflect Internet
> > >
> > > OR
> > >
> > > Option B:
> > > ip access-list extended INBOUND
> > > evaluate Internet
> > > ip access-list extended OUTBOUND
> > > permit tcp 192.168.0.0 0.0.255.255 any reflect Internet
> > > permit tcp 172.19.0.0 0.0.255.255 any reflect Internet
> > > permit udp 192.168.0.0 0.0.255.255 any reflect Internet permit udp
> > > 172.19.0.0 0.0.255.255 any reflect Internet
> > > permit icmp 192.168.0.0 0.0.255.255 any reflect Internet permit icmp
> > > 172.19.0.0 0.0.255.255 any reflect Internet
> > > As oppose to using the public IP subnet address (77.222.121.56 0.0.0.7
> )
> > as
> > > the source IPs.
> > >
> > > Has any one who's done NAT and Reflective ACL seen issues like this?
> > What
> > > is
> > > the best and simple config for the reflective ACL? Would you suggest
> > > option
> > > A or B as oppose to using the public/Legal IPs?
> > >
> > > Tnx & regards.
> > >
> > > Abu Hamzah
> > >
> > >
> > >
> > >
> > > On Dec 2, 2007 9:53 AM, Abu Hamzah <hamzah.abu@gmail.com> wrote:
> > >
> > > > Thanks for that.
> > > >
> > > > We removed the the INBOUND and OUTBOUD ACL from the exteranl
> > interface,
> > > > and the users report the Yahoo and Hotmail sites to be OK now....
> > > >
> > > > The problem is that the Yahoo and Hotmail access was ONLY giving
> > issues
> > > > sometimes, so this may be c oincidental...we will keep testing to
> > see...
> > > >
> > > > The router was configures by someone else a few months back. I
> suppose
> > > > they were trying to have some firewalling on this Internet router
> > > becuase
> > > > there is no firewall besides this router...
> > > > Can someone suggest a better firewalling configuration option on
> this
> > > > router to secure the LAN?
> > > >
> > > > Thanks and regards.
> > > >
> > > >
> > > > On Dec 2, 2007 8:10 AM, Donghai Zhang <zdh1207@gmail.com> wrote:
> > > >
> > > > > What's the use of applying self-reflect ACL here? Seems nat itself
> > > > > has prevented access into LAN . Maybe you could omit the INBOUND
> and
> > > > > OUTBOUD ACL and try it again....
> > > > >
> > > > > 2007/11/30, Terry Tender <terry.tender@gmail.com>:
> > > > > >
> > > > > > You could try to remove the reflective ACL and do NAT with a
> > single
> > > IP
> > > > > > address...just to test things out..
> > > > > >
> > > > > > Terry
> > > > > >
> > > > > >
> > > > > >
> > > > > > On 11/29/07, v.shekhar@yahoo.com <v.shekhar@yahoo.com> wrote:
> > > > > > >
> > > > > > > Does this happen when using the new XML or Java based Webmail
> > > > > interface?
> > > > > > > How much internet bandwidth does he have?
> > > > > > > The newer webmails require more bandwidth compared to the old
> > HTML
> > > > > only
> > > > > > > interface.
> > > > > > > I am suspecting a bandwidth issue here.
> > > > > > >
> > > > > > >
> > > > > > > Thanks,
> > > > > > > -sHekHar.
> > > > > > > CCIE#17589/CISSP/RHCE.
> > > > > > >
> > > > > > > ----- Original Message ----
> > > > > > > From: Abu Hamzah <hamzah.abu@gmail.com>
> > > > > > > To: ccielab@groupstudy.com
> > > > > > > Sent: Thursday, November 29, 2007 7:52:52 PM
> > > > > > > Subject: OT: Web Mail Issues
> > > > > > >
> > > > > > >
> > > > > > > Hi there
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > A friend is facing some Web mail browsing issues with pretty
> > > simple
> > > > > LAN
> > > > > > > setup with Internet router and some switches. Yahoo web mail
> and
> > > > > > > Hotmail
> > > > > > > give Internet Explorer messages time to time saying "Page not
> > > > > found".
> > > > > > > This
> > > > > > > happens when the emails are being deleted or when attaching
> docs
> > > to
> > > > > > > emails.
> > > > > > > All other website browsing is OK. Sometimes all works fine, so
> > the
> > > > > > > Yahoo/Hotmail issue is very much intermittent.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > The Internet router config is similar to the one below...
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > I think the NAT overload may not be configured correctlyAny
> > ideas?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Regards.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Abu Hamzah
> > > > > > >
> > > > > > > -----------------------
> > > > > > >
> > > > > > > !
> > > > > > > version 12.4
> > > > > > > !
> > > > > > > boot-start-marker
> > > > > > > boot-end-marker
> > > > > > > !
> > > > > > > no aaa new-model
> > > > > > > no network-clock-participate wic 0
> > > > > > > no network-clock-participate aim 0
> > > > > > > !
> > > > > > > ip cef
> > > > > > > !
> > > > > > > voice-card 0
> > > > > > > no dspfarm
> > > > > > > !
> > > > > > > interface GigabitEthernet0/0
> > > > > > > ip address 192.168.100.146 255.255.255.0
> > > > > > > ip nat inside
> > > > > > > duplex full
> > > > > > > speed 100
> > > > > > > no cdp enable
> > > > > > > !
> > > > > > > interface GigabitEthernet0/1
> > > > > > > ip address 77.222.98.42 255.255.255.252
> > > > > > > ip access-group INBOUND in
> > > > > > > ip access-group OUTBOUND out
> > > > > > > ip nat outside
> > > > > > > no ip mroute-cache
> > > > > > > duplex full
> > > > > > > speed 10
> > > > > > > !
> > > > > > > ip route 0.0.0.0 0.0.0.0 77.222.98.41
> > > > > > > !
> > > > > > > ip http server
> > > > > > > no ip http secure-server
> > > > > > > ip nat pool TEST 77.222.121.57 77.222.121.58 netmask
> > > 255.255.255.248
> > > > > > > ip nat inside source list 1 pool TEST overload
> > > > > > > !
> > > > > > > ip access-list extended INBOUND
> > > > > > > evaluate Internet
> > > > > > > ip access-list extended OUTBOUND
> > > > > > > permit tcp 77.222.121.56 0.0.0.7 any reflect Internet
> > > > > > > permit udp 77.222.121.56 0.0.0.7 any reflect Internet
> > > > > > > permit icmp 77.222.121.56 0.0.0.7 any reflect Internet
> > > > > > > !
> > > > > > > access-list 1 permit 192.168.0.0 0.0.255.255
> > > > > > > access-list 1 permit 172.19.0.0 0.0.255.255
> > > > > > >
> > > > > > > !
> > > > > > > control-plane
> > > > > > > !
> > > > > > > line con 0
> > > > > > > line aux 0
> > > > > > > !
> > > > > > > end
> > > > > > >
> > > > > > >
> > > > >
> > >
> _______________________________________________________________________
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > >
> >
> ____________________________________________________________________________________
> > > > >
> > > > > > > Never miss a thing. Make Yahoo your home page.
> > > > > > > http://www.yahoo.com/r/hs
> > > > > > >
> > > > > > >
> > > > >
> > >
> _______________________________________________________________________
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > >
> > > > > >
> > > > >
> > >
> _______________________________________________________________________
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > >
> _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Eric M. Phillips Senior Network Consultant
>
> LTI Information Technology http://www.ltiit.com
> 501 Avis Drive
> Ann Arbor, MI 48108
>
> Phone: (734) 929-1400 Fax: (734) 929-1401
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:32 ARST