Effect of using reflexive ACL in a single direction

From: Xiangling (xianglingzj@gmail.com)
Date: Thu Dec 04 2008 - 03:44:59 ARST

When I was learning reflexive ACL I think if you put the ACL only on a
single direction but not on the other direction, it will be treated the same
as the normal ACL (e.g., without the "relfect" keyword). Until recently I
met a real case I found myself wrong:

The topology of the case is shown below:

WLAN Client---WLAN Controller----6509 Switch----6509 Switch---FW and
Router----Internet

The WLAN clients are assigned IP addresses 172.27.0.0/16 and the NAT is done
on the first 6509 switch connecting to the WLAN controller, the inside
interface connecting to the WLAN controller is configured as below.

!
interface Vlan812
 description ADMIN-WLAN-Controller
 ip address 192.168.210.21 255.255.255.240
 no ip redirects
 ip nat inside
 standby 1 ip 192.168.210.30
 standby 1 priority 120
!
and the NAT configuration is shown below:
!
ip nat pool pool-ADMIN2 11.11.18.1 11.11.18.252 prefix-length 24
ip nat inside source route-map MAP-ADMIN2 pool pool-ADMIN2
!
ip access-list extended WLAN-ADMIN2
 deny ip 172.27.0.0 0.0.255.255 11.11.0.0 0.0.255.255
 deny tcp 172.27.0.0 0.0.255.255 any eq www
 deny ip 172.27.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 deny ip 172.27.0.0 0.0.255.255 172.16.0.0 0.15.255.255
 deny ip 172.27.0.0 0.0.255.255 10.0.0.0 0.255.255.255
 permit ip 172.27.0.0 0.0.255.255 any log
!
route-map MAP-ADMIN2 permit 10
 match ip address WLAN-ADMIN2
!

With the following configuration, some wierd thing happens that only TCP
traffic is translated but not the UDP traffic, this causes some applications
which are relying on UDP fail to work.

ADMIN2#sh ip nat tran | in udp
ADMIN2#sh ip nat tran | in udp
ADMIN2#sh ip nat tran | in udp

More interesting thing is observed that after the following configuration
the UDP is now translated and the application start to work:

ADMIN2#config t
Enter configuration commands, one per line. End with CNTL/Z.
ADMIN2(config)#ip acce
ADMIN2(config)#ip access-list ex
ADMIN2(config)#ip access-list extended test812.in
ADMIN2(config-ext-nacl)#permit ip any any
ADMIN2(config-ext-nacl)#int vlan 812
ADMIN2(config-if)#ip acce
ADMIN2(config-if)#ip access-group test812.in in
ADMIN2(config-if)#end
ADMIN2#sh ip int vlan 812
Vlan812 is up, line protocol is up
  Internet address is 192.168.210.21/28
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.2 224.0.0.5 224.0.0.6
  Outgoing access list is not set
  Inbound access list is test812.in
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are never sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP Feature Fast switching turbo vector
  IP Feature CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain inside
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled
  Sampled Netflow is disabled
  IP multicast multilayer switching is disabled
ADMIN2#sh ip access test812.in
Extended IP access list test812.in
    permit ip any any (23 matches)
ADMIN2(config)#ip access-list ex test812.in
ADMIN2(config-ext-nacl)#permit ip any any ref REF
ADMIN2(config-ext-nacl)#no permit ip any any
ADMIN2(config-ext-nacl)#do sh ip access test812.in
Extended IP access list test812.in
    permit ip any any reflect REF (4 matches)
ADMIN2# sh ip nat tran | in udp
udp 11.11.18.9:3450 172.27.72.242:3450 63.210.157.46:13001
63.210.157.46:13001
udp 11.11.18.9:22860 172.27.72.242:22860 64.127.123.234:14280
64.127.123.234:14280
udp 11.11.18.9:22861 172.27.72.242:22861 64.127.123.234:14281
64.127.123.234:14281
udp 11.11.18.9:3450 172.27.72.242:3450 216.82.21.250:13001
216.82.21.250:13001
udp 11.11.18.9:3450 172.27.72.242:3450 8.2.35.16:13000 8.2.35.16:13000
udp 11.11.18.9:22860 172.27.72.242:22860 70.42.62.102:3478 70.42.62.102:3478
udp 11.11.18.9:22861 172.27.72.242:22861 70.42.62.102:3478 70.42.62.102:3478
udp 11.11.18.9:22860 172.27.72.242:22860 70.42.62.103:3478 70.42.62.103:3478
udp 11.11.18.9:22862 172.27.72.242:22862 70.42.62.102:3478 70.42.62.102:3478
udp 11.11.18.9:22862 172.27.72.242:22862 70.42.62.103:3478 70.42.62.103:3478
udp 11.11.18.9:22891 172.27.72.242:22891 70.42.62.102:3478 70.42.62.102:3478

Anybody can help me explaining the difference between no access list,
"permit ip any any" and "permit ip any any ref REF" when only ingress ACL is
applied? Thanks.

Thanks & Regards,
Xiangling
|-------------------------|
| |
\ I Love You All /
\ /
 \___________/

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:07 ARST