Re: REFLEXIVE ACL

From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Mon Feb 23 2009 - 21:50:49 ARST

• Next message: CCNP.CCIE9: "Re: OT: By Michael Heart"
• Previous message: Atlanta CCIE: "Re: OT: By Michael Heart"
• Maybe in reply to: Mohamed Tandou: "REFLEXIVE ACL"
• Next in thread: Mohamed Tandou: "Re: REFLEXIVE ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mohamed,

R2 can not telnet R3 since since the traffic sourced from the same routers
does not hit access-list REFLEXIVE-OUT, so it will not allow to get it back.
There are some tips to allow it. You could make traffic goes thru L0 so that
It can match acl REFLEXIVE-OUT using local policy. Just browser inside the
GS mails and find out what you are looking for,

Regards

----- Original Message -----
From: "Mohamed Tandou" <dtandou@gmail.com>
To: <ccielab@groupstudy.com>
Sent: Monday, February 23, 2009 12:39 PM
Subject: REFLEXIVE ACL

> Hello GS,
> I tried a reflexive ACL from Soup to Nut. Below are the requirements:
> R1 and R2 belong to companyA.
> R3 and R4 belong to companyB.
> R2 is the border
> router that connects these companies to each otherM> R2 should be
> configured
> such that it
> allows the return traffic for the following protocols:
> C R2 should allow the return HTTP traffic that is originated locally or
> by
> R1.
> C R2 should allow the return Telnet traffic that is originated locally or
> by
> R1.
> C R2 should allow the return FTP traffic that is originated locally or by
> R1.
> C R2 should allow the OSPF traffic into the netw
> i am not using R4 in my scenario and also i am using EIGRP
> Below is my configuration.
> I can telnet from R1 to R3
> I can't telnet from R2 to R3. It is the way it is supposed to be ?
>
> Please let me know
>
> Thanks
>
> Moh
>
>
> R1(fa0/0)-------(fa0/0)R2(fa1/0)-------(fa0/0)R3
>
>
> R2
>
> Int fa1/0
> ip access-group REFLEXIVE-OUT
> ip access-group REFLEXIVE-IN
>
>
> ip access-list extended REFLEXIVE-OUT
> permit tcp any any eq www reflect TEST
> permit tcp any any eq ftp reflect TEST
> permit tcp any any eq telnet reflect TEST
> permit eigrp any any
>
> ip access-list extended REFLEXIVE-IN
> permit eigrp any any
> evaluate TEST
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: CCNP.CCIE9: "Re: OT: By Michael Heart"
• Previous message: Atlanta CCIE: "Re: OT: By Michael Heart"
• Maybe in reply to: Mohamed Tandou: "REFLEXIVE ACL"
• Next in thread: Mohamed Tandou: "Re: REFLEXIVE ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST