RE: Reflexive ACL - IE LAB2 Q10.8-10

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Fri Nov 25 2005 - 19:18:34 GMT-3

The problem is that you are testing it from the router with the
reflexive ACL applied. Since by default, traffic sourced by the router
is not affected by an outbound ACL, the traffic does not get reflected.
Test this configuration from a router behind R6. If you want to be able
to ping and telnet from R6, you can statically permit the returning
traffic in the inbound ACL or policy route the traffic out a loopback.
By policy routing the traffic out a loopback it will be "reflected" when
to exits the router on your serial interface.

HTH,

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

________________________________

From: nenad pudar [mailto:nenad.pudar@gmail.com]
Sent: Friday, November 25, 2005 12:09 PM
To: Brian Dennis
Cc: Cham; ccielab@groupstudy.com
Subject: Re: Reflexive ACL - IE LAB2 Q10.8-10

It is not clear to me what lab requirements are ,below I created one
example in which only the trace route is allowed.
In addition we should not break existing applications (bgp &ospf)

interface Serial0/0
 description to to r1 0/1
 ip address 172.16.66.5 255.255.255.252
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 ip nat outside
 encapsulation ppp
 ip ospf hello-interval 20
 ip ospf retransmit-interval 10
 ppp authentication chap PPP
 ppp chap hostname r6
end

RTF-R6#sh ip access-lists OUTBOUND
Extended IP access list OUTBOUND
    permit tcp any any reflect TCP&UDP-TRAFFIC
    permit udp any any reflect TCP&UDP-TRAFFIC

RTF-R6#sh ip access-lists INBOUND
Extended IP access list INBOUND
    permit tcp any any eq bgp (62 matches)
    permit ospf any any (29 matches)
    permit icmp any any port-unreachable (4 matches)
    permit icmp any any time-exceeded
    evaluate TCP&UDP-TRAFFIC

RTF-R6#telnet 172.16.66.6
Trying 172.16.66.6 ...
% Connection timed out; remote host not responding

RTF-R6#ping 172.16.66.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.66.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
RTF-R6#tr 172.16.66.6

Type escape sequence to abort.
Tracing the route to 172.16.66.6

  1 172.16.66.6 16 msec * 16 msec

nenad

On 11/25/05, Brian Dennis <bdennis@internetworkexpert.com> wrote:

        What does a reflexive ACL do? Reflexive ACL's watch the packet
(reflect) and allow it to return (evaluate). When a packet is reflected
the mirror image of that packet must be the one that returns. If it is
not, then it can not be properly evaluated. Reflexive ACLs do not work
for any traffic that does not behave in this straight forward manner.
Standard FTP and TFTP are examples of applications that do not work in
this straight forward manner of a mirror image of the packet returning.

        In Cisco's IOS implementation of traceroute, the first packet
sent out is a UDP packet destined to port 33434 but the packet sent back

by the routers in the path is an ICMP time-exceeded when the TTL is
decremented to 0. Finally in Cisco's implementation the final
destination sends an ICMP port-unreachable.

        So now that we understand how traceroute is implemented by Cisco

IOS and how reflexive ACLs work, we know that we need to "statically"
permit ICMP time-exceeded and ICMP port-unreachables in order for
traceroute to work.

HTH,

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On Behalf Of
Cham
Sent: Friday, November 25, 2005 10:22 AM
To: ccielab@groupstudy.com
Subject: RE: Reflexive ACL - IE LAB2 Q10.8-10

Hello all,

With reference to IE LAB2 Q10.8-10

10.10.10.1 10.10.10.2 150.1.19.1
150.1.19.2
R1(gig4/1/0)----------------(gig4/0/0) R2
(fast0/0/0)--------(fast0/1/0)R3

R2 has a Reflexive ACL on fast 0/0/0 to effect ICMP from R1 to R2

interface FastEthernet0/0/0
ip address 150.1.19.1 255.255.255.0
ip access-group EVAL in
ip access-group REFLECT out
no ip proxy-arp
half-duplex

Extended IP access list EVAL
    10 evaluate TEST
    15 permit icmp any any time-exceeded
    16 permit icmp any any port-unreachable (2 matches)
    20 permit ospf any any (98 matches)
    30 permit tcp any any eq bgp (24 matches)

Extended IP access list REFLECT
    10 permit icmp any any reflect TEST (40 matches)
    20 permit ip any any (3 matches) o
________________________________

---- without this a traceroute
form R1 will not work??

I can see how the normal ICMP part of this config works. But why do I
need the "permit ip any any" on the "REFLECT" ACL to get a trace route
to work, I was thinking that the "permit icmp any any" would permit
the trace route through and then reflect for an entry on the return
path??

I have also tried the below in place of the "permit icmp any any
reflect TEST" in the "REFLECT" but this also not work?

permit icmp any any time-exceeded reflect TEST
permit icmp any any port-unreachable reflect TEST

I feel my understanding of the ICMP type/code is at a loss?

Thanks for any help on thisb&.
CG

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:07 GMT-3