RE: Reflexive ACL question IE Solutions Guide

From: Scott Morris (smorris@ipexpert.com)
Date: Thu Mar 27 2008 - 12:15:07 ART

• Next message: Thomas Fowles: "Re: CCIE SP - Rechability in Lab"
• Previous message: Mike Haddad: "RE: Reflexive ACL question IE Solutions Guide"
• Maybe in reply to: Mike Haddad: "Reflexive ACL question IE Solutions Guide"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Other direction.

If your outbound ACL is what's limiting things users can do... If you have
a "permit ip any any" as an example, you will be able to ping the devices
just fine because the echo-reply will be allowed back in regardless of
whether your inbound ACL has an entry for that anyway.

ONLY if you want your BB/beyond routers to ping YOU do you need to permit
ICMP echo on the inbound ACL.

HTH,

Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
#153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor

smorris@ipexpert.com

Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Mike
Haddad
Sent: Thursday, March 27, 2008 10:58 AM
To: smorris@ipexpert.com; steveaggie@gmail.com; ccielab@groupstudy.com
Subject: RE: Reflexive ACL question IE Solutions Guide

Hello Guys,

  I did lab it and without the echo-reply routers behind this Router were
responding to ICMP Echos from BB1. TO my knowledge,

If my router wants to ping or reply to ping requests from my router i need
to allow ICMP Echo in and out.
IN order for my router to receive the echo-replies I have to allow
echo-reply incomming.
Now when routers behind my router want to reply to echo from BB1 they were
not matching the echo-reply, however they were matching the echo.

   Therefore, Echo-reply is for the router issuing the echo to receive the
reply back. The destination router will always echo. I know there are some
contradiction here because when the destination router replies back the ICMP
will be of type 0.

Waiting for your feedback,

Regards,
> From: smorris@ipexpert.com> To: steveaggie@gmail.com;
mike.haddad@hotmail.com; ccielab@groupstudy.com> Subject: RE: Reflexive ACL
question IE Solutions Guide> Date: Thu, 27 Mar 2008 10:04:17 -0400> >
Reflexive ACLs are designed to be aware of the echo/echo-reply pairing.> >
"If the original triggering packet is a protocol other than TCP or UDP,
port> numbers do not apply, and other criteria are specified. For example,
for> ICMP, type numbers are used: the temporary entry specifies the same
type> number as the original packet (with only one exception: if the
original ICMP> packet is type 8, the returning ICMP packet must be type 0 to
be matched)."> > So unless you are limiting what outbound stuff you wanted
to happen.> > HTH,>
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
JNCIE-M> #153, JNCIS-ER, CISSP, et al.> CCSI/JNCI-M/JNCI-ER> VP -
JNCIE-M> Technical
Training - IPexpert, Inc.> IPexpert Sr. Technical Instructor> >
smorris@ipexpert.com> > > > Telephone: +1.810.326.1444> Fax:
+1.810.454.0130> http://www.ipexpert.com> > > > > > -----Original
Message-----> From:
nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of>
steveaggie@gmail.com> Sent: Thursday, March 27, 2008 9:04 AM> To: 'Mike
Haddad'; ccielab@groupstudy.com> Subject: RE: Reflexive ACL question IE
Solutions Guide> > If ICMP needs to transit the router and BB1 pings a
router on the other side> of R5 how will the echo-reply get back out? It
needs to be
permitted> outbound which would be covered by the line you question.> >
permitted> >
-----Original Message-----> From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com] On Behalf Of Mike> Haddad> Sent: Thursday,
March 27, 2008 1:20 AM> To: ccielab@groupstudy.com> Subject: Reflexive ACL
question IE Solutions Guide> > Hello,> > The question says allow ICMP to
transit your router. The ACL represented> in the IE Solutions guide is as
follows:> > ip access-list extended INBOUND> permit icmp any any echo>
permit icmp any any echo-reply> permit ospf any any> evaluate REFLEXIVE> >
ip access-list extended OUTBOUND> permit icmp any any echo> permit icmp any
any echo-reply -> I think this irrelevant since we will> never match an ICMP
echo-reply on outbound traffic. Even if the ICMP came> from BB1 for example
the routers behind this router will echo back permit> tcp any any reflect
REFLEXIVE permit udp any any reflect REFLEXIVE> > > Please see my note
above.
Am I correct?> Regards,> > >

• Next message: Thomas Fowles: "Re: CCIE SP - Rechability in Lab"
• Previous message: Mike Haddad: "RE: Reflexive ACL question IE Solutions Guide"
• Maybe in reply to: Mike Haddad: "Reflexive ACL question IE Solutions Guide"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:54 ART