Reflexive Access-list

From: Ahmed Mustafa (ahmed.mustafa@sbcglobal.net)
Date: Sat May 15 2004 - 16:50:07 GMT-3

• Next message: Ahmed Mustafa: "RMON"
• Previous message: Mike Dickson: "RE: Dialer Watch Puzzle"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The task is to prevent hosts from being infected in the network, you have
decided to implement a reflexive access-list on R5's connection to BB2.
Configure R5 to only allow traffic to come in the Ethernet connection to BB2
if it has been originated from inside your network. For connectivity testing
purposes ensure that R5 can ping BB2

R5 is running BGP session with BB2. Since the task doesn't ask for any
specific port or protocol. I creted this simple access-lists. The only
problem that I can still ping BB2 from Local router 5, and my BGP session is
still active with BB2. As you can see that I didn't explicit allowed the such
access-list in my configuration for testing purpose. If I am able to ping BB2
and configure BGP relationship with BB2 beyond R5 then it would have made
sense.

permit tcp any any eq bgp
permit tcp any eq bgp any
permit icmp any any echo-reply
evaluate TRAFFIC

Current Access-list:

interface Ethernet0
 ip address 192.10.1.5 255.255.255.0
 ip access-group INB in
 ip access-group OUTB out

ip access-list extended INB
 permit ip any any
 evaluate TRAFFIC
ip access-list extended OUTB
 permit ip any any reflect TRAFFIC

• Next message: Ahmed Mustafa: "RMON"
• Previous message: Mike Dickson: "RE: Dialer Watch Puzzle"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jun 02 2004 - 11:12:12 GMT-3