GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Reflexive ACLs [7:131785] posted 07/02/2008
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Local traffic is not considered incoming and therefore the reflexive 
list can't allow it inbound.
One of the solution is to explicitly allow it inbound or if you're 
prohibited you could do local PBR (to a loopback interface; from there 
it'll be considered local traffic by the reflexive acl).


Regards,
Rado


Alexandre Ribeiro wrote:
> Hello all,
>
> I have the following access-lists defined:
>
> Extended IP access list ANALYZE
>     10 permit icmp any any reflect REFLEXIVE (5 matches)
>     20 permit udp any any reflect REFLEXIVE
>     30 permit tcp any any reflect REFLEXIVE (17 matches)
>     40 deny ip any any log
>
> Extended IP access list FIREWALL
>     5 permit icmp any any echo-reply
>     10 permit udp any any eq rip (171 matches)
>     20 permit tcp any any eq bgp
>     30 permit tcp any eq bgp any (63 matches)
>     40 permit tcp any eq telnet any (64 matches)
>     60 evaluate REFLEXIVE
>     70 deny ip any any log (80 matches)
>
>
> ANALYZE is set on the outbound direction of e0/0, FIREWALL on the inbound
of
> e0/0. Everything works as it should (task 8.1 of lab 5 of IE Vol 2) but...
>
> when I do a local ping to E0/0 the packets are denied (!). If I add a line
> to FIREWALL:
>
> 7 permit icmp any any echo
>
> the ping works.
>
>
> How does a router process a ping to a local interface? Does it consider
> locally originated traffic as inbound traffic? This is the only explanation
> I can come up with, other than a bug on IOS (12.4(13b) on a 3640).
>
> Thanks to anyone that can shed a light into this.
>
> Regards,
> Alex
>
>
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=131785&t=131785
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html