Re: issue with reflexsive access-list

Hi Shekhar,

Can we see the full config please? Is the next hop (150.1.1.254) on R1 or
another box which is the next hop? I suspect this is the reason (and from
what I see, its working as expected).

If my assumption is right, then your local-policy is not making your
locally generated traffic hit the reflexive ACL (outside_in), mainly
because this does not pass through the inside_in ACL, to generate an entry
in the reverse direction.

Anyway, hope that helps abit.

Sadiq

On Tue, Jul 31, 2012 at 2:56 PM, shekhar sharma
<shekhar.sharma21_at_gmail.com>wrote:

> Hi guys,
>
>
> facing some issue with reflexsive access-list.
>
> The inbound to outbound & vice-versa restrictions is working fine....
>
> But not able to rectify router local generated traffic (ping & telnet) for
> mangement......after applying local policy..
>
> i am missing something basic here ... kindly help..
>
> configs :-
> 1) ip access-list extended inside_in
> permit ip any any reflect test
> 2) ip access-list extended outside_in
> permit eigrp any any
> evaluate test
>
> 3)ip access-list extended icmp_telnet
> permit tcp any any eq telnet
> permit icmp any any
>
> 4)#sh route-map
> route-map local, permit, sequence 10
> Match clauses:
> ip address (access-lists): icmp_telnet
> Set clauses:
> ip next-hop 150.1.1.254
> Policy routing matches: 119 packets, 7318 bytes
>
> 5)ip local policy route-map local
>
>
>
> R1#ping 150.1.3.3
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> R1#
> R1#
> R1#
> R1#
> R1#telnet 150.1.3.3
> Trying 150.1.3.3 ...
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net