Yes, I have experienced this exact same problem.
Try running "debup ip packet detailed". I
discovered this in one of my
labs and I was shocked.
It would appear that even for Ethernet interfaces, when you
ping "your
own IP address", the packets *infact* leave the router
and come back
and are caught by the inbound ACL. I thought it was strange.
I
understand this for a point-to-point interface, not for
Ethernet
though.
Thanks,
Alhagie.
On Thu, Jul 3, 2008 at 4:52 AM, Alexandre Ribeiro
wrote:
> Ok, I understand this, and because of that on the
incoming access-list I'm
> allowing echo-reply packets. Another method as pointed
out would be to set
a
> local policy to set the output interface to lo0, so
that the traffic would
> be reflected.
>
> However I wanted to do this without using local policy,
so I explicitly
> allowed echo-reply on the outside interface, on the
incoming direction, so
> that these packets would be allowed in. What I'm seeing
is that
echo-replies
> are indeed allowed in, but I also need to allow echos
in, since when I'm
> pinging a local interface (in this case e0/0) the ping
appears to the
router
> as coming from the outside.
>
> Hasn't anyone ever experienced this?
>
> On Thu, Jul 3, 2008 at 11:24 AM, Bill Eyer wrote:
>
>> Reflexive ACL's do not work on the local router
itself, unless you source
>> them from an "inside" interface. With
your configuration, you outgoing
>> packets are not reflected, and therefore are not
evaluated by the incoming
>> firewall ruleset.
>>
>> Bill
>>
>> Alexandre Ribeiro wrote:
>>
>>> Hello all,
>>>
>>> I have the following access-lists defined:
>>>
>>> Extended IP access list ANALYZE
>>> 10 permit icmp any any reflect REFLEXIVE (5
matches)
>>> 20 permit udp any any reflect REFLEXIVE
>>> 30 permit tcp any any reflect REFLEXIVE (17
matches)
>>> 40 deny ip any any log
>>>
>>> Extended IP access list FIREWALL
>>> 5 permit icmp any any echo-reply
>>> 10 permit udp any any eq rip (171 matches)
>>> 20 permit tcp any any eq bgp
>>> 30 permit tcp any eq bgp any (63 matches)
>>> 40 permit tcp any eq telnet any (64
matches)
>>> 60 evaluate REFLEXIVE
>>> 70 deny ip any any log (80 matches)
>>>
>>>
>>> ANALYZE is set on the outbound direction of
e0/0, FIREWALL on the inbound
>>> of
>>> e0/0. Everything works as it should (task 8.1
of lab 5 of IE Vol 2)
but...
>>>
>>> when I do a local ping to E0/0 the packets are
denied (!). If I add a
line
>>> to FIREWALL:
>>>
>>> 7 permit icmp any any echo
>>>
>>> the ping works.
>>>
>>>
>>> How does a router process a ping to a local
interface? Does it consider
>>> locally originated traffic as inbound traffic?
This is the only
>>> explanation
>>> I can come up with, other than a bug on IOS
(12.4(13b) on a 3640).
>>>
>>> Thanks to anyone that can shed a light into
this.
>>>
>>> Regards,
>>> Alex
>>>
>>>
>>>
____________________________________________________________
___________
>>> Subscription information may be found at:
>>> http://ww
w.groupstudy.com/list/CCIELab.html
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7
&i=131807&t=131802
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.
groupstudy.com/list/cisco.html
|