Re: Reflexive ACLs

From: Alexandre Ribeiro (alexandregomesribeiro@gmail.com)
Date: Thu Jul 03 2008 - 09:51:58 ART

• Next message: Alexandre Ribeiro: "Re: Reflexive ACLs"
• Previous message: Scott Morris: "RE: DSCP and default PHB"
• Maybe in reply to: Alexandre Ribeiro: "Reflexive ACLs"
• Next in thread: Alexandre Ribeiro: "Re: Reflexive ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ok, I understand this, and because of that on the incoming access-list I'm
allowing echo-reply packets. Another method as pointed out would be to set a
local policy to set the output interface to lo0, so that the traffic would
be reflected.

However I wanted to do this without using local policy, so I explicitly
allowed echo-reply on the outside interface, on the incoming direction, so
that these packets would be allowed in. What I'm seeing is that echo-replies
are indeed allowed in, but I also need to allow echos in, since when I'm
pinging a local interface (in this case e0/0) the ping appears to the router
as coming from the outside.

Hasn't anyone ever experienced this?

On Thu, Jul 3, 2008 at 11:24 AM, Bill Eyer <beyer@optonline.net> wrote:

> Reflexive ACL's do not work on the local router itself, unless you source
> them from an "inside" interface. With your configuration, you outgoing
> packets are not reflected, and therefore are not evaluated by the incoming
> firewall ruleset.
>
> Bill
>
> Alexandre Ribeiro wrote:
>
>> Hello all,
>>
>> I have the following access-lists defined:
>>
>> Extended IP access list ANALYZE
>> 10 permit icmp any any reflect REFLEXIVE (5 matches)
>> 20 permit udp any any reflect REFLEXIVE
>> 30 permit tcp any any reflect REFLEXIVE (17 matches)
>> 40 deny ip any any log
>>
>> Extended IP access list FIREWALL
>> 5 permit icmp any any echo-reply
>> 10 permit udp any any eq rip (171 matches)
>> 20 permit tcp any any eq bgp
>> 30 permit tcp any eq bgp any (63 matches)
>> 40 permit tcp any eq telnet any (64 matches)
>> 60 evaluate REFLEXIVE
>> 70 deny ip any any log (80 matches)
>>
>>
>> ANALYZE is set on the outbound direction of e0/0, FIREWALL on the inbound
>> of
>> e0/0. Everything works as it should (task 8.1 of lab 5 of IE Vol 2) but...
>>
>> when I do a local ping to E0/0 the packets are denied (!). If I add a line
>> to FIREWALL:
>>
>> 7 permit icmp any any echo
>>
>> the ping works.
>>
>>
>> How does a router process a ping to a local interface? Does it consider
>> locally originated traffic as inbound traffic? This is the only
>> explanation
>> I can come up with, other than a bug on IOS (12.4(13b) on a 3640).
>>
>> Thanks to anyone that can shed a light into this.
>>
>> Regards,
>> Alex
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

• Next message: Alexandre Ribeiro: "Re: Reflexive ACLs"
• Previous message: Scott Morris: "RE: DSCP and default PHB"
• Maybe in reply to: Alexandre Ribeiro: "Reflexive ACLs"
• Next in thread: Alexandre Ribeiro: "Re: Reflexive ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:53 ART