Hi all,
I've just started learning IOS and have run into a brick wall already.. I'm currently playing with reflexive access lists and have setup a simple example but i can't seem to get it to allow packets back in the network (I think).
Anyway, here's my config (excuse the mess of it, I'm new and it's only being used on my subnet :))
Current configuration : 1273 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Border ! enable secret 5 $1$s7f8$/xk5kaC6jLSyVy9pMBN/x. ! ip subnet-zero no ip source-route ! ! ip domain-name test.org !use netgear adsl router as dns server ip name-server 192.168.0.1 ! ip reflexive-list timeout 200 call rsvp-sync ! ! ! ! ! ! ! ! interface FastEthernet0/0 description External interface ip address 192.168.0.100 255.255.255.0 ip access-group infilter in ip access-group outfilter out no ip unreachables duplex auto speed auto no cdp enable ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 no ip unreachables shutdown duplex auto speed auto no cdp enable ! router rip network 192.168.0.0 network 192.168.1.0 ! ip classless no ip http server ! ! ip access-list extended infilter evaluate tmprlist deny ip any any log ip access-list extended outfilter permit ip any any reflect tmprlist deny ip any any log ip access-list extended outlist ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 30 0 line aux 0 line vty 0 password 7 011D0906590E14 login line vty 1 password 7 011E0F0A5C0E login transport input telnet line vty 2 4 password 7 082F434C0B1C17 login ! end
OK I know there's lots wrong in there but what is stopping the reflexive lists working?
If I ping out I get: Border#ping 192.168.0.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds: .
00:18:26: %SEC-6-IPACCESSLOGDP: list infilter denied icmp 192.168.0.1-> 192.168 .0.100 (0/0), 1 packet.... Success rate is 0 percent (0/5)
Which seems to suggest the packet got out, but wasn't allowed back. This might be handy too: Border#sh access-lists Extended IP access list infilter evaluate tmprlist deny ip any any log (59 matches) Extended IP access list outfilter permit ip any any reflect tmprlist deny ip any any log Extended IP access list outlist Reflexive IP access list tmprlist
If anyone can tell me my n00b mistake, i'd be most greatful.. It's driving me nuts :)
Thanks!!
Jon