Re: Reflexive ACLs [7:131785] posted 07/02/2008
- Subject: Re: Reflexive ACLs [7:131785]
- From: "Rado Vasilev" <decklandv@xxxxxxxxx>
- Date: Wed, 2 Jul 2008 13:12:34 -0400
Local traffic is not considered incoming and therefore the reflexive
list can't allow it inbound.
One of the solution is to explicitly allow it inbound or if you're
prohibited you could do local PBR (to a loopback interface; from there
it'll be considered local traffic by the reflexive acl).
Alexandre Ribeiro wrote:
> Hello all,
> I have the following access-lists defined:
> Extended IP access list ANALYZE
> 10 permit icmp any any reflect REFLEXIVE (5 matches)
> 20 permit udp any any reflect REFLEXIVE
> 30 permit tcp any any reflect REFLEXIVE (17 matches)
> 40 deny ip any any log
> Extended IP access list FIREWALL
> 5 permit icmp any any echo-reply
> 10 permit udp any any eq rip (171 matches)
> 20 permit tcp any any eq bgp
> 30 permit tcp any eq bgp any (63 matches)
> 40 permit tcp any eq telnet any (64 matches)
> 60 evaluate REFLEXIVE
> 70 deny ip any any log (80 matches)
> ANALYZE is set on the outbound direction of e0/0, FIREWALL on the inbound
> e0/0. Everything works as it should (task 8.1 of lab 5 of IE Vol 2) but...
> when I do a local ping to E0/0 the packets are denied (!). If I add a line
> to FIREWALL:
> 7 permit icmp any any echo
> the ping works.
> How does a router process a ping to a local interface? Does it consider
> locally originated traffic as inbound traffic? This is the only explanation
> I can come up with, other than a bug on IOS (12.4(13b) on a 3640).
> Thanks to anyone that can shed a light into this.
> Subscription information may be found at:
Message Posted at:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html