.jpg "Opportunities, Appliacation, Openings"){kind=small}
.jpg "Hand Job, Blow Job, Job Search, Monster Job"){kind=small}
.jpg "pusat resume, daftar kerja, cari kerja"){kind=small}
.jpg "Project Manager, SOftware Engineer, SAP Consultant"){kind=small}
Reflexive Access List
I just tried it out on a lab setup and this should illustrate it nicely for you.
R4 ======= R3========R1=====R5 s1/0
Allow R4 to ping R5 but not R1(or anything else) via R3
On R3
ip access-list extended EVALREFLECT evaluate ICMP deny icmp any any log permit ip any any ip access-list extended MYFWREFLECT permit icmp any host 142.22.135.5 reflect ICMP permit ip any any
Int s1/0 ip access-group MYFWREFLECT in ip access-group EVALREFLECT out
R3# *Mar 1 05:03:25.502: %SYS-5-CONFIG_I: Configured from console by console *Mar 1 05:03:28.726: %SEC-6-IPACCESSLOGDP: list EVALREFLECT denied icmp 142.22.135.1 -> 142.22.34.4 (0/0), 1 packet
R3#sh ip access-lists Extended IP access list EVALREFLECT 10 evaluate ICMP 20 deny icmp any any log (5 matches) 30 permit ip any any Reflexive IP access list ICMP permit icmp host 142.22.135.5 host 142.22.34.4 (19 matches) (time left 293) Extended IP access list MYFWREFLECT 10 permit icmp any host 142.22.135.5 reflect ICMP (22 matches) 20 permit ip any any (31 matches)
R3#
-Rich
On 4/30/08, Chris McGuire wrote: > > One thing to keep in mind. Router generated traffic is not checked against > outbound filters. You could apply an ACL that denies all traffic outbound > on > an interface and still be able to ping from that router to a neighbor > router. So you will not have a reflection back for your router generated > traffic if you are using Reflexive lists. This may have something to do > with > it but I cannot tell for sure because I don’t know the topology or where > you > have applied these ACL’s specifically. You may want to upload the configs > of > the acl’s and the interfaces you have applied them to. > > Thanks, > Chris > > > On 4/30/08 2:37 PM, “olumayokun fowowe” wrote: > > > Hello all, > > > > I was listening to the Internetwork Expert Cod on Security. My problem > have > > to do with the Relexive access list part. where we have MYFWEVAL and > > MYFWREFLECT. In the CoD, MYFWEVAL was applied IN on the serial interface > and > > MYFWREFLECT as OUT on the same interface. When I tried replicating this > with > > dynamips, I couldn’t ping R5 nor R4 until I inverted the access list. I > > applied MYFWREFLECT as IN and MYFWEVAL as out, then the Reflexive access > > list worked. Please can anybody tell me the correct implementation. > > Thanks. > > > > > > Pass the CCIE in six weeks, Guaranteed! > > http://www.certscience.com/CCIE > > _______________________________________________________________________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > > > Chris S. McGuire > Network Engineer > Phone: 801-456-1028 > Fax: 801-456-1010 > Email: cmcguire@firstdigital.com > > > Pass the CCIE in six weeks, Guaranteed! > http://www.certscience.com/CCIE > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
Pass the CCIE in six weeks, Guaranteed! http://www.certscience.com/CCIE
