Go CCIE Go!! - A Cisco Certified Internetwork Expert

You can force it to be reflected by policy routing it and making it appear as transit traffic to the router:
http://www.groupstudy.com/archives/ccielab/200311/msg01170.html
Either that or you need to statically permit inbound all traffic destined to the local router that is necessary (routing protocols, icmp echo-reply, traceroute replies, etc.)
HTH,
Brian McGahan, CCIE #8593 bmcgahan@internetworkexpert.com
Internetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 x 705 Outside US: 775-826-4344 x 705 24/7 Support: http://forum.internetworkexpert.com Live Chat: http://www.internetworkexpert.com/chat/
> —–Original Message—– > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > blodwick > Sent: Friday, June 30, 2006 2:38 PM > To: ‘CCIEin2006′; ‘Koen Zeilstra’ > Cc: ccielab@groupstudy.com > Subject: RE: router bypasses ACL for locally sourced traffic > > One additional tidbit I’d like to add to this string that I found > interesting is on a reflexive acl local traffic is not reflected for > evaluation, but you can explicitly specify to only permit established > TCP sessions inbound by using the established keyword at the end of your > acl statement to provide similar security measures. > > Brian L > > —–Original Message—– > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > CCIEin2006 > Sent: Friday, June 30, 2006 1:21 PM > To: Koen Zeilstra > Cc: ccielab@groupstudy.com > Subject: Re: router bypasses ACL for locally sourced traffic > > Good question. I was also wondering that if the filtering decision is > made > after the routing decision then what difference does it make if the > packet > is locally generated? > > On 6/30/06, Koen Zeilstra wrote: > > > > This is clear. But why is this behaviour? > > > > Is it because there is no routing descision made since there is no > > incoming interface? > > > > ———————– > > Try to get all of your posthumous medals in advance. > > > > On Fri, 30 Jun 2006, Scott Morris wrote: > > > > | It has to do with the order of operations…. > > | > > | Check out: > > | > > | > > > http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_ > chap > > | ter09186a00804fde4d.html > > | > > | > > | Applying Access Lists to Interfaces > > | > > | For some protocols, you can apply up to two access lists to an > > interface: > > | one inbound access list and one outbound access list. With other > > protocols, > > | you apply only one access list which checks both inbound and > outbound > > | packets. > > | > > | If the access list is inbound, when the router receives a packet, > the > > Cisco > > | IOS software checks the access list’s criteria statements for a > match. > > If > > | the packet is permitted, the software continues to process the > packet. > > If > > | the packet is denied, the software discards the packet. > > | > > | If the access list is outbound, after receiving and routing a packet > to > > the > > | outbound interface, the software checks the access list’s criteria > > | statements for a match. If the packet is permitted, the software > > transmits > > | the packet. If the packet is denied, the software discards the > packet. > > | > > | Note Access lists that are applied to interfaces do not filter > traffic > > that > > | originates from that router. > > | > > | > > | HTH, > > | > > | > > | Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, > > JNCIE > > | #153, CISSP, et al. > > | CCSI/JNCI > > | IPExpert CCIE Program Manager > > | IPExpert Sr. Technical Instructor > > | smorris@ipexpert.com > > | http://www.ipexpert.com > > | > > | > > | > > | —–Original Message—– > > | From: nobody@groupstudy.com [mailto:nobody@groupstudy.com ] On > Behalf Of > > Koen > > | Zeilstra > > | Sent: Friday, June 30, 2006 8:40 AM > > | To: ccielab@groupstudy.com > > | Subject: router bypasses ACL for locally sourced traffic > > | > > | Hi Group, > > | > > | Maybe this has been posted before, however I could not find any > > reference. > > | Perhaps other wording is used to describe this. > > | > > | What would is the explanation for a router bypassing ACL’s applied > in > > the > > | outgoing direction for locally source traffic? > > | > > | For example: > > | > > | > > | (R1)e0/0————e0/0(R2) > > | > > | > > | R1 > > | > > | int e0/0 > > | ip access-group ACL out > > | ! > > | > > | ip access-list ext ACL > > | deny tcp any any eq telnet > > | permit ip any any > > | ! > > | > > | Telnetting from R1 to R2 works fine even with the ACL denying > outgoing > > | packets destined for port 23. > > | > > | thanks, > > | > > | Koen > > | > > | ———————– > > | You will feel hungry again in another hour. > > | > > | >