As far as I can see, 150.1.1.1 is a connected interface, but not
150.1.1.254. When you do a show ip route 150.1.1.254, is falls under
150.1.1.0/24, which is right. But that fact does not confirm if 150.1.1.254
is a connected andvalid next hop for your PBR.
Can we see the full config on R1?
On Tue, Jul 31, 2012 at 3:08 PM, shekhar sharma
<shekhar.sharma21_at_gmail.com>wrote:
> Nops buddy...
>
> it is a connected interface
>
>
> R1#sh ip route 150.1.1.254
> Routing entry for 150.1.1.0/24
> Known via "connected", distance 0, metric 0 (connected, via interface)
> Redistributing via eigrp 100
> Routing Descriptor Blocks:
> * directly connected, via Loopback0
> Route metric is 0, traffic share count is 1
> R1#sh run itnloo
> R1#sh run int loo
> R1#sh run int loopback 0
> Building configuration...
> Current configuration : 63 bytes
> !
> interface Loopback0
> ip address 150.1.1.1 255.255.255.0
> end
>
> On Tue, Jul 31, 2012 at 6:03 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>
>> Hi Shekhar,
>>
>> Can we see the full config please? Is the next hop (150.1.1.254) on R1 or
>> another box which is the next hop? I suspect this is the reason (and from
>> what I see, its working as expected).
>>
>> If my assumption is right, then your local-policy is not making your
>> locally generated traffic hit the reflexive ACL (outside_in), mainly
>> because this does not pass through the inside_in ACL, to generate an entry
>> in the reverse direction.
>>
>> Anyway, hope that helps abit.
>>
>> Sadiq
>>
>> On Tue, Jul 31, 2012 at 2:56 PM, shekhar sharma <
>> shekhar.sharma21_at_gmail.com> wrote:
>>
>>> Hi guys,
>>>
>>>
>>> facing some issue with reflexsive access-list.
>>>
>>> The inbound to outbound & vice-versa restrictions is working fine....
>>>
>>> But not able to rectify router local generated traffic (ping & telnet)
>>> for
>>> mangement......after applying local policy..
>>>
>>> i am missing something basic here ... kindly help..
>>>
>>> configs :-
>>> 1) ip access-list extended inside_in
>>> permit ip any any reflect test
>>> 2) ip access-list extended outside_in
>>> permit eigrp any any
>>> evaluate test
>>>
>>> 3)ip access-list extended icmp_telnet
>>> permit tcp any any eq telnet
>>> permit icmp any any
>>>
>>> 4)#sh route-map
>>> route-map local, permit, sequence 10
>>> Match clauses:
>>> ip address (access-lists): icmp_telnet
>>> Set clauses:
>>> ip next-hop 150.1.1.254
>>> Policy routing matches: 119 packets, 7318 bytes
>>>
>>> 5)ip local policy route-map local
>>>
>>>
>>>
>>> R1#ping 150.1.3.3
>>> Type escape sequence to abort.
>>> Sending 5, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds:
>>> .....
>>> Success rate is 0 percent (0/5)
>>> R1#
>>> R1#
>>> R1#
>>> R1#
>>> R1#telnet 150.1.3.3
>>> Trying 150.1.3.3 ...
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> CCIEx2 (R&S|Sec) #19963
>>
>
>
-- CCIEx2 (R&S|Sec) #19963 Blogs and organic groups at http://www.ccie.netReceived on Tue Jul 31 2012 - 15:22:44 ART
This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:24 ART