RE: Effect of using reflexive ACL in a single direction

From: Timothy Chin (Tim@1c-solutions.com)
Date: Thu Dec 04 2008 - 04:43:30 ARST

• Next message: Anthony Sequeira: "Re: Trunking/DTP question"
• Previous message: Timothy Chin: "RE: Effect of using reflexive ACL in a single direction"
• Maybe in reply to: Xiangling: "Effect of using reflexive ACL in a single direction"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Disregard the last part about the destination network 11.11.0.0. I
couldn't quite make out the show ip nat translation output at the end of
the message until I was able to cut/paste it into notepad.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Timothy Chin
Sent: Thursday, December 04, 2008 1:34 AM
To: Xiangling; ccielab
Subject: RE: Effect of using reflexive ACL in a single direction

Your reflect statement would have no consequence since you did not
configure and apply an outbound access-list on the interface with an
"evaluate" statement therefore it was as if you had just configured a
"permit ip any any" on your inbound access list without the reflect
statement. As far as the udp is concerned - the first statement on your
access-list for the Nat route-map denies all network address
translations to the destination network 11.11.0.0 which is where the udp
traffic is going.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Xiangling
Sent: Thursday, December 04, 2008 12:45 AM
To: ccielab
Subject: Effect of using reflexive ACL in a single direction

When I was learning reflexive ACL I think if you put the ACL only on a
single direction but not on the other direction, it will be treated the
same
as the normal ACL (e.g., without the "relfect" keyword). Until recently
I
met a real case I found myself wrong:

The topology of the case is shown below:

WLAN Client---WLAN Controller----6509 Switch----6509 Switch---FW and
Router----Internet

The WLAN clients are assigned IP addresses 172.27.0.0/16 and the NAT is
done
on the first 6509 switch connecting to the WLAN controller, the inside
interface connecting to the WLAN controller is configured as below.

!
interface Vlan812
 description ADMIN-WLAN-Controller
 ip address 192.168.210.21 255.255.255.240
 no ip redirects
 ip nat inside
 standby 1 ip 192.168.210.30
 standby 1 priority 120
!
and the NAT configuration is shown below:
!
ip nat pool pool-ADMIN2 11.11.18.1 11.11.18.252 prefix-length 24
ip nat inside source route-map MAP-ADMIN2 pool pool-ADMIN2
!
ip access-list extended WLAN-ADMIN2
 deny ip 172.27.0.0 0.0.255.255 11.11.0.0 0.0.255.255
 deny tcp 172.27.0.0 0.0.255.255 any eq www
 deny ip 172.27.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 deny ip 172.27.0.0 0.0.255.255 172.16.0.0 0.15.255.255
 deny ip 172.27.0.0 0.0.255.255 10.0.0.0 0.255.255.255
 permit ip 172.27.0.0 0.0.255.255 any log
!
route-map MAP-ADMIN2 permit 10
 match ip address WLAN-ADMIN2
!

With the following configuration, some wierd thing happens that only TCP
traffic is translated but not the UDP traffic, this causes some
applications
which are relying on UDP fail to work.

ADMIN2#sh ip nat tran | in udp
ADMIN2#sh ip nat tran | in udp
ADMIN2#sh ip nat tran | in udp

More interesting thing is observed that after the following
configuration
the UDP is now translated and the application start to work:

ADMIN2#config t
Enter configuration commands, one per line. End with CNTL/Z.
ADMIN2(config)#ip acce
ADMIN2(config)#ip access-list ex
ADMIN2(config)#ip access-list extended test812.in
ADMIN2(config-ext-nacl)#permit ip any any
ADMIN2(config-ext-nacl)#int vlan 812
ADMIN2(config-if)#ip acce
ADMIN2(config-if)#ip access-group test812.in in
ADMIN2(config-if)#end
ADMIN2#sh ip int vlan 812
Vlan812 is up, line protocol is up
  Internet address is 192.168.210.21/28
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.2 224.0.0.5 224.0.0.6
  Outgoing access list is not set
  Inbound access list is test812.in
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are never sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP Feature CEF switching turbo vector
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain inside
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled
  Sampled Netflow is disabled
  IP multicast multilayer switching is disabled
ADMIN2#sh ip access test812.in
Extended IP access list test812.in
    permit ip any any (23 matches)
ADMIN2(config)#ip access-list ex test812.in
ADMIN2(config-ext-nacl)#permit ip any any ref REF
ADMIN2(config-ext-nacl)#no permit ip any any
ADMIN2(config-ext-nacl)#do sh ip access test812.in
Extended IP access list test812.in
    permit ip any any reflect REF (4 matches)
ADMIN2# sh ip nat tran | in udp
udp 11.11.18.9:3450 172.27.72.242:3450 63.210.157.46:13001
63.210.157.46:13001
udp 11.11.18.9:22860 172.27.72.242:22860 64.127.123.234:14280
64.127.123.234:14280
udp 11.11.18.9:22861 172.27.72.242:22861 64.127.123.234:14281
64.127.123.234:14281
udp 11.11.18.9:3450 172.27.72.242:3450 216.82.21.250:13001
216.82.21.250:13001
udp 11.11.18.9:3450 172.27.72.242:3450 8.2.35.16:13000
8.2.35.16:13000
udp 11.11.18.9:22860 172.27.72.242:22860 70.42.62.102:3478
70.42.62.102:3478
udp 11.11.18.9:22861 172.27.72.242:22861 70.42.62.102:3478
70.42.62.102:3478
udp 11.11.18.9:22860 172.27.72.242:22860 70.42.62.103:3478
70.42.62.103:3478
udp 11.11.18.9:22862 172.27.72.242:22862 70.42.62.102:3478
70.42.62.102:3478
udp 11.11.18.9:22862 172.27.72.242:22862 70.42.62.103:3478
70.42.62.103:3478
udp 11.11.18.9:22891 172.27.72.242:22891 70.42.62.102:3478
70.42.62.102:3478

Anybody can help me explaining the difference between no access list,
"permit ip any any" and "permit ip any any ref REF" when only ingress
ACL is
applied? Thanks.

Thanks & Regards,
Xiangling
|-------------------------|
| |
\ I Love You All /
\ /
 \___________/

Blogs and organic groups at http://www.ccie.net

• Next message: Anthony Sequeira: "Re: Trunking/DTP question"
• Previous message: Timothy Chin: "RE: Effect of using reflexive ACL in a single direction"
• Maybe in reply to: Xiangling: "Effect of using reflexive ACL in a single direction"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:07 ARST