Re: Reflexive ACLs [7:131802] posted 07/03/2008
- Subject: Re: Reflexive ACLs [7:131802]
- From: "Alhagie Puye" <alhagie@xxxxxxxxx>
- Date: Thu, 3 Jul 2008 10:36:15 -0400
Yes, I have experienced this exact same problem.
Try running "debup ip packet detailed". I discovered this in one of my
labs and I was shocked.
It would appear that even for Ethernet interfaces, when you ping "your
own IP address", the packets *infact* leave the router and come back
and are caught by the inbound ACL. I thought it was strange. I
understand this for a point-to-point interface, not for Ethernet
On Thu, Jul 3, 2008 at 4:52 AM, Alexandre Ribeiro
> Ok, I understand this, and because of that on the incoming access-list I'm
> allowing echo-reply packets. Another method as pointed out would be to set
> local policy to set the output interface to lo0, so that the traffic would
> be reflected.
> However I wanted to do this without using local policy, so I explicitly
> allowed echo-reply on the outside interface, on the incoming direction, so
> that these packets would be allowed in. What I'm seeing is that
> are indeed allowed in, but I also need to allow echos in, since when I'm
> pinging a local interface (in this case e0/0) the ping appears to the
> as coming from the outside.
> Hasn't anyone ever experienced this?
> On Thu, Jul 3, 2008 at 11:24 AM, Bill Eyer wrote:
>> Reflexive ACL's do not work on the local router itself, unless you source
>> them from an "inside" interface. With your configuration, you outgoing
>> packets are not reflected, and therefore are not evaluated by the incoming
>> firewall ruleset.
>> Alexandre Ribeiro wrote:
>>> Hello all,
>>> I have the following access-lists defined:
>>> Extended IP access list ANALYZE
>>> 10 permit icmp any any reflect REFLEXIVE (5 matches)
>>> 20 permit udp any any reflect REFLEXIVE
>>> 30 permit tcp any any reflect REFLEXIVE (17 matches)
>>> 40 deny ip any any log
>>> Extended IP access list FIREWALL
>>> 5 permit icmp any any echo-reply
>>> 10 permit udp any any eq rip (171 matches)
>>> 20 permit tcp any any eq bgp
>>> 30 permit tcp any eq bgp any (63 matches)
>>> 40 permit tcp any eq telnet any (64 matches)
>>> 60 evaluate REFLEXIVE
>>> 70 deny ip any any log (80 matches)
>>> ANALYZE is set on the outbound direction of e0/0, FIREWALL on the inbound
>>> e0/0. Everything works as it should (task 8.1 of lab 5 of IE Vol 2)
>>> when I do a local ping to E0/0 the packets are denied (!). If I add a
>>> to FIREWALL:
>>> 7 permit icmp any any echo
>>> the ping works.
>>> How does a router process a ping to a local interface? Does it consider
>>> locally originated traffic as inbound traffic? This is the only
>>> I can come up with, other than a bug on IOS (12.4(13b) on a 3640).
>>> Thanks to anyone that can shed a light into this.
>>> Subscription information may be found at:
Message Posted at:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html