RE: Reflexive ACL question IE Solutions Guide

From: Scott Morris (smorris@ipexpert.com)
Date: Thu Mar 27 2008 - 11:04:17 ART

• Next message: Azhar Ali: "WiMax/NGN Basic Tutoial/Guide !"
• Previous message: Navid Daghighi: "matching length"
• Maybe in reply to: Mike Haddad: "Reflexive ACL question IE Solutions Guide"
• Next in thread: Mike Haddad: "RE: Reflexive ACL question IE Solutions Guide"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Reflexive ACLs are designed to be aware of the echo/echo-reply pairing.

"If the original triggering packet is a protocol other than TCP or UDP, port
numbers do not apply, and other criteria are specified. For example, for
ICMP, type numbers are used: the temporary entry specifies the same type
number as the original packet (with only one exception: if the original ICMP
packet is type 8, the returning ICMP packet must be type 0 to be matched)."
 
So unless you are limiting what outbound stuff you wanted to happen.

HTH,

Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
#153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor

smorris@ipexpert.com

Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
steveaggie@gmail.com
Sent: Thursday, March 27, 2008 9:04 AM
To: 'Mike Haddad'; ccielab@groupstudy.com
Subject: RE: Reflexive ACL question IE Solutions Guide

If ICMP needs to transit the router and BB1 pings a router on the other side
of R5 how will the echo-reply get back out? It needs to be permitted
outbound which would be covered by the line you question.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Mike
Haddad
Sent: Thursday, March 27, 2008 1:20 AM
To: ccielab@groupstudy.com
Subject: Reflexive ACL question IE Solutions Guide

Hello,

   The question says allow ICMP to transit your router. The ACL represented
in the IE Solutions guide is as follows:

ip access-list extended INBOUND
permit icmp any any echo
permit icmp any any echo-reply
permit ospf any any
evaluate REFLEXIVE

ip access-list extended OUTBOUND
permit icmp any any echo
permit icmp any any echo-reply -> I think this irrelevant since we will
never match an ICMP echo-reply on outbound traffic. Even if the ICMP came
from BB1 for example the routers behind this router will echo back permit
tcp any any reflect REFLEXIVE permit udp any any reflect REFLEXIVE

Please see my note above. Am I correct?
Regards,

• Next message: Azhar Ali: "WiMax/NGN Basic Tutoial/Guide !"
• Previous message: Navid Daghighi: "matching length"
• Maybe in reply to: Mike Haddad: "Reflexive ACL question IE Solutions Guide"
• Next in thread: Mike Haddad: "RE: Reflexive ACL question IE Solutions Guide"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:54 ART