Re: Reflexive ACL

From: Adel Karim (adelkarim@gmail.com)
Date: Mon Mar 17 2008 - 09:17:22 ART

• Next message: Sadiq Yakasai: "Re: Reflexive ACL"
• Previous message: nagendra kumar: "Reflexive ACL"
• Maybe in reply to: nagendra kumar: "Reflexive ACL"
• Next in thread: Sadiq Yakasai: "Re: Reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Nagendra,

Usually the issue here will be the return traffic coming from BB1 back to
R1. R1 should have an inbound ACL that blocks everything and permits only
required protocols (routing,...etc). This will also block the return traffic
for requests originated from R1 itself (remember that for the traffic
originated on R1 there will be no dynamic entries created to allow the
return traffic back in).

Usually this can be solved by allowing certain replies from BB1 to come in
to R1 on the inbound ACL based on the question requirements. I think in your
case, you will need to allow the response if the source of the traffic is
R1's inside interface address.

If you get this question in exam, you better clarify it with the proctor
although usually the exam questions are clear and straight forward.

Regards
Adel

On Mon, Mar 17, 2008 at 2:04 PM, nagendra kumar <nagendranainar@yahoo.co.in>
wrote:

> Hi All,
>
> (outside)BB1----------------R1(Inside)
>
> When we configure Reflexive ACL it will not affect the local router
> (will not create a temporary permit ACL, if the traffic is originated from
> local router, R1 in this case). This would break the IP reachability from
> this router to outside network. I know we can configure explicit permit for
> all ICMP packet from outside to inside for all addresses in R1. But it
> seems to violate the question, as the question will be to allow ICMP only
> if it is originated from inside.
>
> Can some one please let me know if you have any other alternate solution.
>
> P.S : I remember somewhere reading that changing the outgoing source
> address will solve the issue. But I tried pinging outside network with
> loopback address of R1 and still end up with same ICMP error message as
> "administratively prohibited unreachable"
>
> Regards,
> Nagendra
>
>
>
> ---------------------------------
> Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it
> now.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Regards
Adel Karim Mansour
CCIE# 20147 R&S

• Next message: Sadiq Yakasai: "Re: Reflexive ACL"
• Previous message: nagendra kumar: "Reflexive ACL"
• Maybe in reply to: nagendra kumar: "Reflexive ACL"
• Next in thread: Sadiq Yakasai: "Re: Reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART