From: Tyson Scott (tscott@ipexpert.com)
Date: Thu Jul 03 2008 - 12:28:30 ART
Alex,
There are a few versions of code that I have seen this in. For the
router to ping itself you need to allow echo on the inbound ACL. You
shouldn't have to do this with an any any. but you will have to add
permit icmp host 1.1.1.1 host 1.1.1.1 echo. Yeah I remember the first
time I ran into this a few years back I was thinking what the heck is
going on.
On Thu, Jul 3, 2008 at 9:07 AM, Alexandre Ribeiro
<alexandregomesribeiro@gmail.com> wrote:
> This is not just relative to reflective ACLs. A simple test:
>
> Config the interface:
>
> Router(config)#int e0/0
> Router(config-if)#ip add 1.1.1.1 255.255.255.0
> Router(config-if)#
> Router(config-if)#do ping 1.1.1.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
> !!!!!
>
>
> Set an access-list that just allows echo-reply inbound:
>
> Router(config)#ip access-l extended test
> Router(config-ext-nacl)#50 permit icmp any any echo-reply
> Router(config-ext-nacl)#200 deny ip any any log
>
> Router#ping 1.1.1.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
>
> *Mar 3 02:35:00.210: %SEC-6-IPACCESSLOGDP: list test denied icmp 1.1.1.1 ->
> 1.1.1.1 (8/0), 1 packet .
> *Mar 3 02:35:02.206: %SEC-6-IPACCESSLOGDP: list test denied icmp 1.1.1.1 ->
> 1.1.1.1 (8/0), 1 packet ....
>
>
>
> Now set it to allow echos on the incoming direction:
>
>
> Router(config)#ip access-l exten test
> Router(config-ext-nacl)#100 permit icmp any any echo
> Router(config-ext-nacl)#do ping
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
>
>
> So apparently when pinging a local interface, echos appear to the local
> interface as coming from the outside, as do echo-replies.
>
> Alex
>
>
>
>
> On Thu, Jul 3, 2008 at 1:51 PM, Alexandre Ribeiro <
> alexandregomesribeiro@gmail.com> wrote:
>
>> Ok, I understand this, and because of that on the incoming access-list I'm
>> allowing echo-reply packets. Another method as pointed out would be to set a
>> local policy to set the output interface to lo0, so that the traffic would
>> be reflected.
>>
>> However I wanted to do this without using local policy, so I explicitly
>> allowed echo-reply on the outside interface, on the incoming direction, so
>> that these packets would be allowed in. What I'm seeing is that echo-replies
>> are indeed allowed in, but I also need to allow echos in, since when I'm
>> pinging a local interface (in this case e0/0) the ping appears to the router
>> as coming from the outside.
>>
>> Hasn't anyone ever experienced this?
>>
>>
>> On Thu, Jul 3, 2008 at 11:24 AM, Bill Eyer <beyer@optonline.net> wrote:
>>
>>> Reflexive ACL's do not work on the local router itself, unless you source
>>> them from an "inside" interface. With your configuration, you outgoing
>>> packets are not reflected, and therefore are not evaluated by the incoming
>>> firewall ruleset.
>>>
>>> Bill
>>>
>>> Alexandre Ribeiro wrote:
>>>
>>>> Hello all,
>>>>
>>>> I have the following access-lists defined:
>>>>
>>>> Extended IP access list ANALYZE
>>>> 10 permit icmp any any reflect REFLEXIVE (5 matches)
>>>> 20 permit udp any any reflect REFLEXIVE
>>>> 30 permit tcp any any reflect REFLEXIVE (17 matches)
>>>> 40 deny ip any any log
>>>>
>>>> Extended IP access list FIREWALL
>>>> 5 permit icmp any any echo-reply
>>>> 10 permit udp any any eq rip (171 matches)
>>>> 20 permit tcp any any eq bgp
>>>> 30 permit tcp any eq bgp any (63 matches)
>>>> 40 permit tcp any eq telnet any (64 matches)
>>>> 60 evaluate REFLEXIVE
>>>> 70 deny ip any any log (80 matches)
>>>>
>>>>
>>>> ANALYZE is set on the outbound direction of e0/0, FIREWALL on the inbound
>>>> of
>>>> e0/0. Everything works as it should (task 8.1 of lab 5 of IE Vol 2)
>>>> but...
>>>>
>>>> when I do a local ping to E0/0 the packets are denied (!). If I add a
>>>> line
>>>> to FIREWALL:
>>>>
>>>> 7 permit icmp any any echo
>>>>
>>>> the ping works.
>>>>
>>>>
>>>> How does a router process a ping to a local interface? Does it consider
>>>> locally originated traffic as inbound traffic? This is the only
>>>> explanation
>>>> I can come up with, other than a bug on IOS (12.4(13b) on a 3640).
>>>>
>>>> Thanks to anyone that can shed a light into this.
>>>>
>>>> Regards,
>>>> Alex
>>>>
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
-- Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc.Telephone: +1.810.326.1444 Fax: +1.810.454.0130 Mailto: tscott@ipexpert.com
Join our free online support and peer group communities: http://www.IPexpert.com/communities
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications.
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:53 ART