Re: REFLEXIVE ACL

From: Mohamed Tandou (dtandou@gmail.com)
Date: Tue Feb 24 2009 - 00:08:45 ARST

• Next message: Antonio Soares: "CCIE Worldwide Statistics - Update"
• Previous message: swm@emanon.com: "Re: Cell Mode MPLS+LDP"
• Maybe in reply to: Mohamed Tandou: "REFLEXIVE ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks a lot everyone. i tested it is working

Moh

On Mon, Feb 23, 2009 at 6:50 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe>wrote:

> Mohamed,
>
> R2 can not telnet R3 since since the traffic sourced from the same routers
> does not hit access-list REFLEXIVE-OUT, so it will not allow to get it back.
> There are some tips to allow it. You could make traffic goes thru L0 so that
> It can match acl REFLEXIVE-OUT using local policy. Just browser inside the
> GS mails and find out what you are looking for,
>
> Regards
>
> ----- Original Message ----- From: "Mohamed Tandou" <dtandou@gmail.com>
> To: <ccielab@groupstudy.com>
> Sent: Monday, February 23, 2009 12:39 PM
> Subject: REFLEXIVE ACL
>
>
> Hello GS,
>> I tried a reflexive ACL from Soup to Nut. Below are the requirements:
>> R1 and R2 belong to companyA.
>> R3 and R4 belong to companyB.
>> R2 is the border
>> router that connects these companies to each otherM> R2 should be
>> configured
>>
>> such that it
>> allows the return traffic for the following protocols:
>> C R2 should allow the return HTTP traffic that is originated locally or
>> by
>> R1.
>> C R2 should allow the return Telnet traffic that is originated locally or
>> by
>> R1.
>> C R2 should allow the return FTP traffic that is originated locally or by
>> R1.
>> C R2 should allow the OSPF traffic into the netw
>> i am not using R4 in my scenario and also i am using EIGRP
>> Below is my configuration.
>> I can telnet from R1 to R3
>> I can't telnet from R2 to R3. It is the way it is supposed to be ?
>>
>> Please let me know
>>
>> Thanks
>>
>> Moh
>>
>>
>> R1(fa0/0)-------(fa0/0)R2(fa1/0)-------(fa0/0)R3
>>
>>
>> R2
>>
>> Int fa1/0
>> ip access-group REFLEXIVE-OUT
>> ip access-group REFLEXIVE-IN
>>
>>
>> ip access-list extended REFLEXIVE-OUT
>> permit tcp any any eq www reflect TEST
>> permit tcp any any eq ftp reflect TEST
>> permit tcp any any eq telnet reflect TEST
>> permit eigrp any any
>>
>> ip access-list extended REFLEXIVE-IN
>> permit eigrp any any
>> evaluate TEST
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Antonio Soares: "CCIE Worldwide Statistics - Update"
• Previous message: swm@emanon.com: "Re: Cell Mode MPLS+LDP"
• Maybe in reply to: Mohamed Tandou: "REFLEXIVE ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST