- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Reflexive ACLs [7:131802] posted 07/03/2008
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Yes, I have experienced this exact same problem.

Try running "debup ip packet detailed". I discovered this in one of my
labs and I was shocked.

It would appear that even for Ethernet interfaces, when you ping "your
own IP address", the packets *infact* leave the router and come back
and are caught by the inbound ACL. I thought it was strange. I
understand this for a point-to-point interface, not for Ethernet


On Thu, Jul 3, 2008 at 4:52 AM, Alexandre Ribeiro
> Ok, I understand this, and because of that on the incoming access-list I'm
> allowing echo-reply packets. Another method as pointed out would be to set
> local policy to set the output interface to lo0, so that the traffic would
> be reflected.
> However I wanted to do this without using local policy, so I explicitly
> allowed echo-reply on the outside interface, on the incoming direction, so
> that these packets would be allowed in. What I'm seeing is that
> are indeed allowed in, but I also need to allow echos in, since when I'm
> pinging a local interface (in this case e0/0) the ping appears to the
> as coming from the outside.
> Hasn't anyone ever experienced this?
> On Thu, Jul 3, 2008 at 11:24 AM, Bill Eyer  wrote:
>> Reflexive ACL's do not work on the local router itself, unless you source
>> them from an "inside" interface.  With your configuration, you outgoing
>> packets are not reflected, and therefore are not evaluated by the incoming
>> firewall ruleset.
>> Bill
>> Alexandre Ribeiro wrote:
>>> Hello all,
>>> I have the following access-lists defined:
>>> Extended IP access list ANALYZE
>>>    10 permit icmp any any reflect REFLEXIVE (5 matches)
>>>    20 permit udp any any reflect REFLEXIVE
>>>    30 permit tcp any any reflect REFLEXIVE (17 matches)
>>>    40 deny ip any any log
>>> Extended IP access list FIREWALL
>>>    5 permit icmp any any echo-reply
>>>    10 permit udp any any eq rip (171 matches)
>>>    20 permit tcp any any eq bgp
>>>    30 permit tcp any eq bgp any (63 matches)
>>>    40 permit tcp any eq telnet any (64 matches)
>>>    60 evaluate REFLEXIVE
>>>    70 deny ip any any log (80 matches)
>>> ANALYZE is set on the outbound direction of e0/0, FIREWALL on the inbound
>>> of
>>> e0/0. Everything works as it should (task 8.1 of lab 5 of IE Vol 2)
>>> when I do a local ping to E0/0 the packets are denied (!). If I add a
>>> to FIREWALL:
>>> 7 permit icmp any any echo
>>> the ping works.
>>> How does a router process a ping to a local interface? Does it consider
>>> locally originated traffic as inbound traffic? This is the only
>>> explanation
>>> I can come up with, other than a bug on IOS (12.4(13b) on a 3640).
>>> Thanks to anyone that can shed a light into this.
>>> Regards,
>>> Alex
>>> _______________________________________________________________________
>>> Subscription information may be found at:

Message Posted at:
FAQ, list archives, and subscription info: