Re: issue with reflexsive access-list

Since your config appears to be for a top-secret organization (and
therefore cannot be shared) :-)

Try this:

1. set the next hop (more preferrably, set the interface in the PBR as the
loopback interface).
2. apply the 'ip access-list extended inside_in' on the loopback
interface.

This means your local traffic would hit your reflexive ACL and it should
work. Let us know what happens.

Sadiq

On Tue, Jul 31, 2012 at 3:24 PM, shekhar sharma
<shekhar.sharma21_at_gmail.com>wrote:

> i have tried it with next-hop 150.1.1.1 tooo already...
>
> still the same issue ... :(
>
> On Tue, Jul 31, 2012 at 6:22 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>
>> As far as I can see, 150.1.1.1 is a connected interface, but not
>> 150.1.1.254. When you do a show ip route 150.1.1.254, is falls under
>> 150.1.1.0/24, which is right. But that fact does not confirm if
>> 150.1.1.254 is a connected andvalid next hop for your PBR.
>>
>> Can we see the full config on R1?
>>
>>
>> On Tue, Jul 31, 2012 at 3:08 PM, shekhar sharma <
>> shekhar.sharma21_at_gmail.com> wrote:
>>
>>> Nops buddy...
>>>
>>> it is a connected interface
>>>
>>>
>>> R1#sh ip route 150.1.1.254
>>> Routing entry for 150.1.1.0/24
>>> Known via "connected", distance 0, metric 0 (connected, via interface)
>>> Redistributing via eigrp 100
>>> Routing Descriptor Blocks:
>>> * directly connected, via Loopback0
>>> Route metric is 0, traffic share count is 1
>>> R1#sh run itnloo
>>> R1#sh run int loo
>>> R1#sh run int loopback 0
>>> Building configuration...
>>> Current configuration : 63 bytes
>>> !
>>> interface Loopback0
>>> ip address 150.1.1.1 255.255.255.0
>>> end
>>>
>>> On Tue, Jul 31, 2012 at 6:03 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>>>
>>>> Hi Shekhar,
>>>>
>>>> Can we see the full config please? Is the next hop (150.1.1.254) on R1
>>>> or another box which is the next hop? I suspect this is the reason (and
>>>> from what I see, its working as expected).
>>>>
>>>> If my assumption is right, then your local-policy is not making your
>>>> locally generated traffic hit the reflexive ACL (outside_in), mainly
>>>> because this does not pass through the inside_in ACL, to generate an entry
>>>> in the reverse direction.
>>>>
>>>> Anyway, hope that helps abit.
>>>>
>>>> Sadiq
>>>>
>>>> On Tue, Jul 31, 2012 at 2:56 PM, shekhar sharma <
>>>> shekhar.sharma21_at_gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>>
>>>>>
>>>>> facing some issue with reflexsive access-list.
>>>>>
>>>>> The inbound to outbound & vice-versa restrictions is working fine....
>>>>>
>>>>> But not able to rectify router local generated traffic (ping & telnet)
>>>>> for
>>>>> mangement......after applying local policy..
>>>>>
>>>>> i am missing something basic here ... kindly help..
>>>>>
>>>>> configs :-
>>>>> 1) ip access-list extended inside_in
>>>>> permit ip any any reflect test
>>>>> 2) ip access-list extended outside_in
>>>>> permit eigrp any any
>>>>> evaluate test
>>>>>
>>>>> 3)ip access-list extended icmp_telnet
>>>>> permit tcp any any eq telnet
>>>>> permit icmp any any
>>>>>
>>>>> 4)#sh route-map
>>>>> route-map local, permit, sequence 10
>>>>> Match clauses:
>>>>> ip address (access-lists): icmp_telnet
>>>>> Set clauses:
>>>>> ip next-hop 150.1.1.254
>>>>> Policy routing matches: 119 packets, 7318 bytes
>>>>>
>>>>> 5)ip local policy route-map local
>>>>>
>>>>>
>>>>>
>>>>> R1#ping 150.1.3.3
>>>>> Type escape sequence to abort.
>>>>> Sending 5, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds:
>>>>> .....
>>>>> Success rate is 0 percent (0/5)
>>>>> R1#
>>>>> R1#
>>>>> R1#
>>>>> R1#
>>>>> R1#telnet 150.1.3.3
>>>>> Trying 150.1.3.3 ...
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> CCIEx2 (R&S|Sec) #19963
>>>>
>>>
>>>
>>
>>
>> --
>> CCIEx2 (R&S|Sec) #19963
>>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net