From: secondie (secondie@gmail.com)
Date: Sun Aug 06 2006 - 00:42:34 ART
AFAIK there is no reason for Reflective ACL to not to work between R1
(source on the inside) and R3 (Dest on the outside). Were you pinging
12.12.12.8 from R1 or R2? Of course ping from R2 will by-pass the
Reflective-ACL and return traffic will be denied. But if pinging/telnet
from R1, it should work.
I put configs to test and it seems to work for me. If you are still
having trouble let me know and I can paste my configs.
-secondie
bindong.shi@gmail.com wrote:
> I have 3 routers:
> R1(17.17.17.1)----inside-----(17.17.17.7)R2(12.12.12.7)---outside----(12.12.12.8)R3
> I like to implement Ref ACL on R2, only allow TCP , UDP, ICMP and traceroute initiated from inside network. Here is my configure:
> R2:
> interface e0
> description connect to R3
> ip access-group Incoming in
> ip access-group Outgoing out
>
> ip access-list extended Outgoing
> permit tcp any any reflect temp
> permit udp any any reflect temp
> permit icmp any any reflect temp
> ip access-list extended Incoming
> permit eigrp any any
> permit icmp any any port-unreachable
> permit icmp any any time-exceeded
> evaluate temp
>
> Then I realized that I am not able to ping the loopback ip address of R3 (12.12.12.8), according to document, the traffic which was initiated on the r2 itself will not evaluated, So I added one more command in the access-list Incoming:
> "permit icmp any any echo-reply"
> Now I am able to ping the R3, my question is: I can understand from R2 cannot ping R3 without the last command I mentioned, but why I aslo can ping R3 from R1 only after I added that command. Since traffic from R1 is not originated from R2 locally.
> there is not routing problem, every ip address is reachable.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART