RE: reflexive access-list

From: ying c (bf5tgh1@xxxxxxxxx)
Date: Wed Aug 07 2002 - 18:27:54 GMT-3

• Next message: Omer Ansari: "RE: CCIE 9866"
• Previous message: Brian Dennis: "RE: OT: RE: Dark rivers of the heart?"
• Maybe in reply to: ying c: "reflexive access-list"
• Next in thread: Carlos G Mendioroz: "Re: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Brian,

Thanks a lot, that fixes the problem.

Chang
--- Brian Dennis <brian@5g.net> wrote:
> Traffic generated by R1 isn't going to be evaluated
> out and in turn
> won't be let back in. Try testing it from behind R1.
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial)
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> ying c
> Sent: Wednesday, August 07, 2002 12:40 PM
> To: ccielab@groupstudy.com
> Subject: reflexive access-list
>
> Hi,
>
> Can someone tell me why the following reflexive
> access-list would not work? I'm not even bothering
> blocking anything any more, the IOS is 12.1-15:
>
> R1-172.16.10.1-------172.16.10.2--R2
>
> interface Serial0.1 multipoint
> ip address 172.16.10.1 255.255.255.0
> ip access-group allin in <---- IN
> ip access-group allout out <----- OUT
> ip ospf priority 255
> ipx network 12
> frame-relay map ip 172.16.10.1 102 broadcast
> frame-relay map ip 172.16.10.2 102 broadcast
> frame-relay map ip 172.16.10.3 103 broadcast
> frame-relay map ipx 12.0001.0001.0001 102 broadcast
> frame-relay map ipx 12.0002.0002.0002 102 broadcast
> ...
> ip access-list extended allin
> evaluate allpackets <---- evaluate everything
> ip access-list extended allout
> permit tcp any any reflect allpackets <--- tcp
> permit udp any any reflect allpackets <--- udp
> permit icmp any any reflect allpackets <--- icmp
>
> =======================
> run result:
>
> r1#ping 172.16.10.2 <--- Always fails
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.10.2,
> timeout
> is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> r1#ct <---- remove reflexive access-list
> Enter configuration commands, one per line. End
> with
> CNTL/Z.
> r1(config)#int s0.1
> r1(config-subif)#no ip access
> r1(config-subif)#no ip access-group allin in
> r1(config-subif)#no ip access-group allout out
> r1(config-subif)#^Z
> r1#pin
> 07:30:09: %SYS-5-CONFIG_I: Configured from console
> by
> console
> r1#ping 172.16.10.2 <--- Ok if no reflexive
> access-list
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.10.2,
> timeout
> is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip
> min/avg/max = 60/60/60 ms
> r1#
>
> Thanks,
> Chang
>

• Next message: Omer Ansari: "RE: CCIE 9866"
• Previous message: Brian Dennis: "RE: OT: RE: Dark rivers of the heart?"
• Maybe in reply to: ying c: "reflexive access-list"
• Next in thread: Carlos G Mendioroz: "Re: reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:19 GMT-3