From: Alexandre Ribeiro (alexandregomesribeiro@gmail.com)
Date: Thu Jul 03 2008 - 10:07:16 ART
This is not just relative to reflective ACLs. A simple test:
Config the interface:
Router(config)#int e0/0
Router(config-if)#ip add 1.1.1.1 255.255.255.0
Router(config-if)#
Router(config-if)#do ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Set an access-list that just allows echo-reply inbound:
Router(config)#ip access-l extended test
Router(config-ext-nacl)#50 permit icmp any any echo-reply
Router(config-ext-nacl)#200 deny ip any any log
Router#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
*Mar 3 02:35:00.210: %SEC-6-IPACCESSLOGDP: list test denied icmp 1.1.1.1 ->
1.1.1.1 (8/0), 1 packet .
*Mar 3 02:35:02.206: %SEC-6-IPACCESSLOGDP: list test denied icmp 1.1.1.1 ->
1.1.1.1 (8/0), 1 packet ....
Now set it to allow echos on the incoming direction:
Router(config)#ip access-l exten test
Router(config-ext-nacl)#100 permit icmp any any echo
Router(config-ext-nacl)#do ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
So apparently when pinging a local interface, echos appear to the local
interface as coming from the outside, as do echo-replies.
Alex
On Thu, Jul 3, 2008 at 1:51 PM, Alexandre Ribeiro <
alexandregomesribeiro@gmail.com> wrote:
> Ok, I understand this, and because of that on the incoming access-list I'm
> allowing echo-reply packets. Another method as pointed out would be to set a
> local policy to set the output interface to lo0, so that the traffic would
> be reflected.
>
> However I wanted to do this without using local policy, so I explicitly
> allowed echo-reply on the outside interface, on the incoming direction, so
> that these packets would be allowed in. What I'm seeing is that echo-replies
> are indeed allowed in, but I also need to allow echos in, since when I'm
> pinging a local interface (in this case e0/0) the ping appears to the router
> as coming from the outside.
>
> Hasn't anyone ever experienced this?
>
>
> On Thu, Jul 3, 2008 at 11:24 AM, Bill Eyer <beyer@optonline.net> wrote:
>
>> Reflexive ACL's do not work on the local router itself, unless you source
>> them from an "inside" interface. With your configuration, you outgoing
>> packets are not reflected, and therefore are not evaluated by the incoming
>> firewall ruleset.
>>
>> Bill
>>
>> Alexandre Ribeiro wrote:
>>
>>> Hello all,
>>>
>>> I have the following access-lists defined:
>>>
>>> Extended IP access list ANALYZE
>>> 10 permit icmp any any reflect REFLEXIVE (5 matches)
>>> 20 permit udp any any reflect REFLEXIVE
>>> 30 permit tcp any any reflect REFLEXIVE (17 matches)
>>> 40 deny ip any any log
>>>
>>> Extended IP access list FIREWALL
>>> 5 permit icmp any any echo-reply
>>> 10 permit udp any any eq rip (171 matches)
>>> 20 permit tcp any any eq bgp
>>> 30 permit tcp any eq bgp any (63 matches)
>>> 40 permit tcp any eq telnet any (64 matches)
>>> 60 evaluate REFLEXIVE
>>> 70 deny ip any any log (80 matches)
>>>
>>>
>>> ANALYZE is set on the outbound direction of e0/0, FIREWALL on the inbound
>>> of
>>> e0/0. Everything works as it should (task 8.1 of lab 5 of IE Vol 2)
>>> but...
>>>
>>> when I do a local ping to E0/0 the packets are denied (!). If I add a
>>> line
>>> to FIREWALL:
>>>
>>> 7 permit icmp any any echo
>>>
>>> the ping works.
>>>
>>>
>>> How does a router process a ping to a local interface? Does it consider
>>> locally originated traffic as inbound traffic? This is the only
>>> explanation
>>> I can come up with, other than a bug on IOS (12.4(13b) on a 3640).
>>>
>>> Thanks to anyone that can shed a light into this.
>>>
>>> Regards,
>>> Alex
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:53 ART