From: Rich Collins (nilsi2002@gmail.com)
Date: Wed Apr 30 2008 - 19:31:38 ART
I just tried it out on a lab setup and this should illustrate it nicely for
you.
R4 ======= R3========R1=====R5
s1/0
Allow R4 to ping R5 but not R1(or anything else) via R3
On R3
ip access-list extended EVALREFLECT
evaluate ICMP
deny icmp any any log
permit ip any any
ip access-list extended MYFWREFLECT
permit icmp any host 142.22.135.5 reflect ICMP
permit ip any any
Int s1/0
ip access-group MYFWREFLECT in
ip access-group EVALREFLECT out
R3#
*Mar 1 05:03:25.502: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 05:03:28.726: %SEC-6-IPACCESSLOGDP: list EVALREFLECT denied icmp
142.22.135.1 -> 142.22.34.4 (0/0), 1 packet
R3#sh ip access-lists
Extended IP access list EVALREFLECT
10 evaluate ICMP
20 deny icmp any any log (5 matches)
30 permit ip any any
Reflexive IP access list ICMP
permit icmp host 142.22.135.5 host 142.22.34.4 (19 matches) (time left
293)
Extended IP access list MYFWREFLECT
10 permit icmp any host 142.22.135.5 reflect ICMP (22 matches)
20 permit ip any any (31 matches)
R3#
-Rich
On 4/30/08, Chris McGuire <cmcguire@firstdigital.com> wrote:
>
> One thing to keep in mind. Router generated traffic is not checked against
> outbound filters. You could apply an ACL that denies all traffic outbound
> on
> an interface and still be able to ping from that router to a neighbor
> router. So you will not have a reflection back for your router generated
> traffic if you are using Reflexive lists. This may have something to do
> with
> it but I cannot tell for sure because I don't know the topology or where
> you
> have applied these ACL's specifically. You may want to upload the configs
> of
> the acl's and the interfaces you have applied them to.
>
> Thanks,
> Chris
>
>
> On 4/30/08 2:37 PM, "olumayokun fowowe" <olumayokun@gmail.com> wrote:
>
> > Hello all,
> >
> > I was listening to the Internetwork Expert Cod on Security. My problem
> have
> > to do with the Relexive access list part. where we have MYFWEVAL and
> > MYFWREFLECT. In the CoD, MYFWEVAL was applied IN on the serial interface
> and
> > MYFWREFLECT as OUT on the same interface. When I tried replicating this
> with
> > dynamips, I couldn't ping R5 nor R4 until I inverted the access list. I
> > applied MYFWREFLECT as IN and MYFWEVAL as out, then the Reflexive access
> > list worked. Please can anybody tell me the correct implementation.
> > Thanks.
> >
> >
> > Pass the CCIE in six weeks, Guaranteed!
> > http://www.certscience.com/CCIE
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
>
> Chris S. McGuire
> Network Engineer
> Phone: 801-456-1028
> Fax: 801-456-1010
> Email: cmcguire@firstdigital.com
>
>
> Pass the CCIE in six weeks, Guaranteed!
> http://www.certscience.com/CCIE
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Pass the CCIE in six weeks, Guaranteed!
http://www.certscience.com/CCIE
This archive was generated by hypermail 2.1.4 : Thu May 01 2008 - 08:25:52 ART