From: Alexandre Ribeiro (alexandregomesribeiro@gmail.com)
Date: Wed Jul 02 2008 - 14:01:10 ART
Hello all,
I have the following access-lists defined:
Extended IP access list ANALYZE
10 permit icmp any any reflect REFLEXIVE (5 matches)
20 permit udp any any reflect REFLEXIVE
30 permit tcp any any reflect REFLEXIVE (17 matches)
40 deny ip any any log
Extended IP access list FIREWALL
5 permit icmp any any echo-reply
10 permit udp any any eq rip (171 matches)
20 permit tcp any any eq bgp
30 permit tcp any eq bgp any (63 matches)
40 permit tcp any eq telnet any (64 matches)
60 evaluate REFLEXIVE
70 deny ip any any log (80 matches)
ANALYZE is set on the outbound direction of e0/0, FIREWALL on the inbound of
e0/0. Everything works as it should (task 8.1 of lab 5 of IE Vol 2) but...
when I do a local ping to E0/0 the packets are denied (!). If I add a line
to FIREWALL:
7 permit icmp any any echo
the ping works.
How does a router process a ping to a local interface? Does it consider
locally originated traffic as inbound traffic? This is the only explanation
I can come up with, other than a bug on IOS (12.4(13b) on a 3640).
Thanks to anyone that can shed a light into this.
Regards,
Alex
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:53 ART