GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Reflexive! posted 07/30/2005
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


As I said, the whole only lets icmp echo responses back. You are trying
to send icmp echo through the whole from the outside. No go :)

Ashok CCIE wrote:
> I am also facing same issue here. May I know the
> solution here?
> 
> My config and topology is as follows:
> 
> R1 ---(eo) R2 --- R5
> 
> I am pingng R1 from R2 first and then try to ping R5
> from R1.
> 
> Configs are:
> ~~~~
> R2#
> ip access-list extended incom
>  permit ospf any any
>  permit pim any any
>  permit igmp any any
>  evaluate ICMP
>  evaluate TCP_TRA
> 
> ip access-list extended outbound
>  permit tcp any any reflect TCP_TRA
>  permit icmp any any reflect ICMP
>  permit icmp any any echo reflect ICMP
>  permit icmp any any echo-reply reflect ICMP
> 
> interface Ethernet0
>  ip address 172.30.12.2 255.255.255.192
>  ip access-group incom in
>  ip access-group outbound out
>  ip pim sparse-mode
> end
> 
> R2#
> ~~~~
> 
> R5#ping 192.168.1.1 source 192.168.5.5
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout
> is 2 seconds:
> Packet sent with a source address of 192.168.5.5
> !!!!!
> Success rate is 100 percent (5/5), round-trip
> min/avg/max = 64/69/76 ms
> R5# 
> 
> R2#sh access-lists
> Reflexive IP access list ICMP
>     permit icmp host 192.168.1.1 host 192.168.5.5  (10
> matches) (time left 118)
> Reflexive IP access list TCP_TRA
> Extended IP access list incom
>     permit ospf any any (440 matches)
>     permit pim any any (143 matches)
>     permit igmp any any (142 matches)
>     evaluate ICMP
>     evaluate TCP_TRA
> Extended IP access list outbound
>     permit tcp any any reflect TCP_TRA
>     permit icmp any any reflect ICMP
>     permit icmp any any echo reflect ICMP
>     permit icmp any any echo-reply reflect ICMP
> R2#
> 
> 
> Now ping from R1
> 
> R1#ping 192.168.5.5 source 192.168.1.1
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.5.5, timeout
> is 2 seconds:
> Packet sent with a source address of 192.168.1.1
> U.U.U
> Success rate is 0 percent (0/5)
> R1#
> 
> Why this so?
> 
> 
> 
> Thanks & Regards, 
> 
> Ashok M A 
> 
> 
> 
> 
> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx
> [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of Carlos G
> Mendioroz
> Sent: Monday, June 07, 2004 9:05 PM
> To: John Underhill
> Cc: Nancy Khln; ccielab@xxxxxxxxxxxxxx
> Subject: Re: Reflexive!
> 
> That would be too much info for reflexive ACLs.
> (sessions that is)
> 
> What seems to be happening is that the reflexive list
> not only contains the protocol (icmp) source and
> destination, but also the icmp code that is "open" by
> the reflect.
> 
> I tested that even though the ping (icmp echo) can not
> pass during the hole life, an icmp echo-response can.
> No doubt, reflect is more complex than it seems...
> 
> John Underhill wrote:
> 
> 
>>I think the reflexive access list is evaluating
> 
> against a session 
> 
>>initiated from inside the network during the echo
> 
> exchange. When you 
> 
>>are pinging the router from outside the network, it
> 
> is not the same 
> 
>>session, but one originated from a different source,
> 
> evaluated, and 
> 
>>discarded because ICMP it is not permitted on the
> 
> inbound access list.
> 
>>
>>----- Original Message -----
>>From: "Nancy Khln" <nancy_merill@xxxxxxxxx>
>>To: <ccielab@xxxxxxxxxxxxxx>
>>Sent: Saturday, June 05, 2004 2:09 PM
>>Subject: Reflexive!
>>
>>
>>
>>
>>>Hi,
>>>
>>>Couple of questions regarding Reflexive ACL, here is
> 
> the scenario:
> 
>>>
>>
> R1-s0(11.11.11.2)---------------------s1--R2--e0----------------------
> 
>>---BB3
>>---l0(51.1.1.1)---
>>
>>
>>>For testing reasons, I am running RIP&BGP between R2
> 
> and BB3 Before I 
> 
>>>configured my Reflexive ALs I am able to ping
> 
> everything from
> 
>>everywhere, once the Reflexive AL are in place, I am
> 
> able to ping BB3 
> 
>>from R1, as traffic is leaving the network it is
> 
> "reflected" to the state table.
> 
>>>The ICMP traffic when tries to come back in it is
> 
> "evaluated" to see 
> 
>>>if
>>
>>there
>>
>>
>>>is a previous entry in the state table, it finds the
> 
> entry and it goes
> 
>>throught he ping is successfull.Am I correct?
>>
>>
>>>R1#ping 51.1.1.1
>>>Type escape sequence to abort.
>>>Sending 5, 100-byte ICMP Echos to 51.1.1.1, timeout
> 
> is 2 seconds:
> 
>>>!!!!!
>>>Success rate is 100 percent (5/5), round-trip
> 
> min/avg/max = 36/36/40 m
> 
>>>NOw from BB3 and I am trying to ping R1's0, I was
> 
> expecting to get a
> 
>>response since there is a  previosly created entry
> 
> in the table. It 
> 
>>DOES NOT I am getting unreachable
>>
>>
>>>Type escape sequence to abort.
>>>Sending 5, 100-byte ICMP Echos to 11.11.11.2,
> 
> timeout is 2 seconds:
> 
>>>U.U.U
>>>Success rate is 0 percent (0/5)
>>>
>>>Here is R2's config
>>>
>>>interface Ethernet0/0
>>>ip address 14.14.14.1 255.255.255.0
>>>ip access-group INBOUND in
>>>ip access-group OUTBOUND out
>>>!
>>>Extended IP access list INBOUND
>>>   permit udp any any (104 matches)
>>>   permit tcp any any (68 matches)
>>>   evaluate TRAFFIC
>>>   deny ip any any (44 matches)
>>>Extended IP access list OUTBOUND
>>>   permit udp any any reflect TRAFFIC
>>>   permit tcp any any reflect TRAFFIC
>>>   permit icmp any any reflect TRAFFIC Reflexive IP
> 
> access list 
> 
>>>TRAFFIC
>>>   permit icmp host 51.1.1.1 host 11.11.11.2  (11
> 
> matches) (time left
> 
>>158)
>>
>>
>>>R2#
>>>As long as I have this temporary entry in the state
> 
> table I should be 
> 
>>>able
>>
>>to ping from BB3
>>
>>
>>>11.11.11.2 Am I correct? I should not be allowed to
> 
> ping anything else 
> 
>>>on
>>
>>the network from BB3, from R2 I am not able to ping
> 
> BB3 , this is OK, 
> 
>>the OUBOUND list doesnt affect locally generated
> 
> packets.
> 
>>>DO I need to add in the INBOUND list permit ICMP
> 
> !!!!!! This would 
> 
>>>defeat
>>
>>its purpose, wouldn't it? and allowe everything to
> 
> go through.....
> 
>>>Please advise.
>>>Thank you
>>>Nancy
> 
> 
> 
> 
> 
> 		
> __________________________________________________________
> How much free photo storage do you get? Store your friends 'n family snaps for FREE with Yahoo! Photos http://in.photos.yahoo.com
> 

-- 
Carlos G Mendioroz  <tron@xxxxxxxxxxx>  LW7 EQI  Argentina