1. Home
  2. Cisco Systems
  3. Problem with reflect list

Problem with reflect list

Hi all,

I've just started learning IOS and have run into a brick wall already.. I'm currently playing with reflexive access lists and have setup a simple example but i can't seem to get it to allow packets back in the network (I think).

Anyway, here's my config (excuse the mess of it, I'm new and it's only being used on my subnet :))

Current configuration : 1273 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Border ! enable secret 5 $1$s7f8$/xk5kaC6jLSyVy9pMBN/x. ! ip subnet-zero no ip source-route ! ! ip domain-name test.org !use netgear adsl router as dns server ip name-server 192.168.0.1 ! ip reflexive-list timeout 200 call rsvp-sync ! ! ! ! ! ! ! ! interface FastEthernet0/0 description External interface ip address 192.168.0.100 255.255.255.0 ip access-group infilter in ip access-group outfilter out no ip unreachables duplex auto speed auto no cdp enable ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 no ip unreachables shutdown duplex auto speed auto no cdp enable ! router rip network 192.168.0.0 network 192.168.1.0 ! ip classless no ip http server ! ! ip access-list extended infilter evaluate tmprlist deny ip any any log ip access-list extended outfilter permit ip any any reflect tmprlist deny ip any any log ip access-list extended outlist ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 30 0 line aux 0 line vty 0 password 7 011D0906590E14 login line vty 1 password 7 011E0F0A5C0E login transport input telnet line vty 2 4 password 7 082F434C0B1C17 login ! end

OK I know there's lots wrong in there but what is stopping the reflexive lists working?

If I ping out I get: Border#ping 192.168.0.1

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds: .

00:18:26: %SEC-6-IPACCESSLOGDP: list infilter denied icmp 192.168.0.1

-> 192.168 .0.100 (0/0), 1 packet.... Success rate is 0 percent (0/5)

Which seems to suggest the packet got out, but wasn't allowed back. This might be handy too: Border#sh access-lists Extended IP access list infilter evaluate tmprlist deny ip any any log (59 matches) Extended IP access list outfilter permit ip any any reflect tmprlist deny ip any any log Extended IP access list outlist Reflexive IP access list tmprlist

If anyone can tell me my n00b mistake, i'd be most greatful.. It's driving me nuts :)

Thanks!!

Jon

Reply to
jonr944
Loading thread data ...

You are trying to ping from the local router. The reflexive list does only seem to work with traffic passing through the router, not with traffic originated locally .

/TC

skrev i meddelandet news: snipped-for-privacy@g49g2000cwa.googlegroups.com...

Reply to
TC

The reflective ACLs make the router act as a statefull FW. You need to permit the ICMP in the in ACL, now you are denying everything from the outside. Because the router does not reconigze the ICMP echo reply as a response of the echo origininated from your network. For TCP and UDP you do not need to permit traffic since you are doing from the out ACL. The case is that ICMP is like an exception, so you need to permit it.

-as

Reply to
aservin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.