From: Ahsan Mohiuddin (ahsan.mohiuddin@yahoo.com)
Date: Mon Mar 17 2008 - 10:55:54 ART
Hello Najendra,
for the outbound ACL to apply to your local traffic, you must make the router think that this traffic is NOT local but rather it is transiting the router.
To do this, you must route all traffic out a loopback interface. Upon returning from the loopback interface (i.e. getting looped) this traffic (including the traffic previously locally originated by the router) is considered to be transiting the router, so the ACL (reflexive in your case) is applied to it.
ip local-policy route-map LOOPOUT
route-map LOOPOUT perm 10
set interface loopback17
nagendra kumar <nagendranainar@yahoo.co.in> wrote:
Hi All,
(outside)BB1----------------R1(Inside)
When we configure Reflexive ACL it will not affect the local router (will not create a temporary permit ACL, if the traffic is originated from local router, R1 in this case). This would break the IP reachability from this router to outside network. I know we can configure explicit permit for all ICMP packet from outside to inside for all addresses in R1. But it seems to violate the question, as the question will be to allow ICMP only if it is originated from inside.
Can some one please let me know if you have any other alternate solution.
P.S : I remember somewhere reading that changing the outgoing source address will solve the issue. But I tried pinging outside network with loopback address of R1 and still end up with same ICMP error message as "administratively prohibited unreachable"
Regards,
Nagendra
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART