From: Thor Kopp (thorkopp@googlemail.com)
Date: Sun May 25 2008 - 11:10:22 ART
I'm doing an example on reflective access-lists and the questions asks only
to allow telnet & tftp. If i just put permit udp any any eq tftp reflect
STATEFUL it's not going to work because only the first packet of a tftp
transfer is port 69, the remaining trafffic uses random ports above 1023
(usually 50000+ from what i've seen) and as i'm not reflecting all udp
traffic, it didn't work. Without using CBAC, is there a cleaner way to get
this working with reflective access-list than what i have below? I had to
put the explicit permit in the inbound ACL because the first packet that
comes back in response to my initial packet on udp 69 won't get through so i
get I could have just had permit udp any gt 1023 any get 1023 without the
reflecting that traffic. I'm assuming transit traffic only and not locally
originated traffic so I've not using the ip local policy command on the
router.
ip access-list extended S0-0-23-IN
permit ospf any any
permit udp any gt 1023 any gt 1023
evaluate STATEFUL
ip access-list extended S0-0-23-OUT
permit tcp any any eq www reflect STATEFUL
permit tcp any any eq telnet reflect STATEFUL
permit udp any any eq tftp reflect STATEFUL
permit udp any gt 1023 any gt 1023 reflect STATEFUL
permit ospf any any
!
interface Serial0/0.23 point-to-point
ip address 10.1.23.2 255.255.255.0
frame-relay interface-dlci 203
ip access-group S0-0-23-OUT out
ip access-group S0-0-23-IN in
- Thor
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:18 ART