Re: Reflexive ACLs

Thanks! I'm glad to know that I'm not seeing things 

On Thu, Jul 3, 2008 at 4:28 PM, Tyson Scott  wrote:

> Alex,
> There are a few versions of code that I have seen this
in.  For the
> router to ping itself you need to allow echo on the
inbound ACL.  You
> shouldn't have to do this with an any any.  but you
will have to add
> permit icmp host 1.1.1.1 host 1.1.1.1 echo.  Yeah I
remember the first
> time I ran into this a few years back I was thinking
what the heck is
> going on.
>
> On Thu, Jul 3, 2008 at 9:07 AM, Alexandre Ribeiro
>  wrote:
> > This is not just relative to reflective ACLs. A
simple test:
> >
> > Config the interface:
> >
> > Router(config)#int e0/0
> > Router(config-if)#ip add 1.1.1.1 255.255.255.0
> > Router(config-if)#
> > Router(config-if)#do ping 1.1.1.1
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout
is 2 seconds:
> > !!!!!
> >
> >
> > Set an access-list that just allows echo-reply
inbound:
> >
> > Router(config)#ip access-l extended test
> > Router(config-ext-nacl)#50 permit icmp any any
echo-reply
> > Router(config-ext-nacl)#200 deny ip any any log
> >
> > Router#ping 1.1.1.1
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout
is 2 seconds:
> >
> > *Mar  3 02:35:00.210: %SEC-6-IPACCESSLOGDP: list
test denied icmp
> 1.1.1.1 ->
> > 1.1.1.1 (8/0), 1 packet .
> > *Mar  3 02:35:02.206: %SEC-6-IPACCESSLOGDP: list
test denied icmp
> 1.1.1.1 ->
> > 1.1.1.1 (8/0), 1 packet ....
> >
> >
> >
> > Now set it to allow echos on the incoming
direction:
> >
> >
> > Router(config)#ip access-l exten test
> > Router(config-ext-nacl)#100 permit icmp any any
echo
> > Router(config-ext-nacl)#do ping
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout
is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip
min/avg/max = 1/2/4 ms
> >
> >
> > So apparently when pinging a local interface,
echos appear to the local
> > interface as coming from the outside, as do
echo-replies.
> >
> > Alex
> >
> >
> >
> >
> > On Thu, Jul 3, 2008 at 1:51 PM, Alexandre Ribeiro 
>
alexandregomesribeirogmail.com> wrote:
> >
> >> Ok, I understand this, and because of that on
the incoming access-list
> I'm
> >> allowing echo-reply packets. Another method as
pointed out would be to
> set a
> >> local policy to set the output interface to
lo0, so that the traffic
> would
> >> be reflected.
> >>
> >> However I wanted to do this without using
local policy, so I explicitly
> >> allowed echo-reply on the outside interface,
on the incoming direction,
> so
> >> that these packets would be allowed in. What
I'm seeing is that
> echo-replies
> >> are indeed allowed in, but I also need to
allow echos in, since when I'm
> >> pinging a local interface (in this case e0/0)
the ping appears to the
> router
> >> as coming from the outside.
> >>
> >> Hasn't anyone ever experienced this?
> >>
> >>
> >> On Thu, Jul 3, 2008 at 11:24 AM, Bill Eyer 
wrote:
> >>
> >>> Reflexive ACL's do not work on the local
router itself, unless you
> source
> >>> them from an "inside" interface.
 With your configuration, you outgoing
> >>> packets are not reflected, and therefore
are not evaluated by the
> incoming
> >>> firewall ruleset.
> >>>
> >>> Bill
> >>>
> >>> Alexandre Ribeiro wrote:
> >>>
> >>>> Hello all,
> >>>>
> >>>> I have the following access-lists
defined:
> >>>>
> >>>> Extended IP access list ANALYZE
> >>>>    10 permit icmp any any reflect
REFLEXIVE (5 matches)
> >>>>    20 permit udp any any reflect
REFLEXIVE
> >>>>    30 permit tcp any any reflect
REFLEXIVE (17 matches)
> >>>>    40 deny ip any any log
> >>>>
> >>>> Extended IP access list FIREWALL
> >>>>    5 permit icmp any any echo-reply
> >>>>    10 permit udp any any eq rip (171
matches)
> >>>>    20 permit tcp any any eq bgp
> >>>>    30 permit tcp any eq bgp any (63
matches)
> >>>>    40 permit tcp any eq telnet any (64
matches)
> >>>>    60 evaluate REFLEXIVE
> >>>>    70 deny ip any any log (80
matches)
> >>>>
> >>>>
> >>>> ANALYZE is set on the outbound
direction of e0/0, FIREWALL on the
> inbound
> >>>> of
> >>>> e0/0. Everything works as it should
(task 8.1 of lab 5 of IE Vol 2)
> >>>> but...
> >>>>
> >>>> when I do a local ping to E0/0 the
packets are denied (!). If I add a
> >>>> line
> >>>> to FIREWALL:
> >>>>
> >>>> 7 permit icmp any any echo
> >>>>
> >>>> the ping works.
> >>>>
> >>>>
> >>>> How does a router process a ping to a
local interface? Does it
> consider
> >>>> locally originated traffic as inbound
traffic? This is the only
> >>>> explanation
> >>>> I can come up with, other than a bug
on IOS (12.4(13b) on a 3640).
> >>>>
> >>>> Thanks to anyone that can shed a light
into this.
> >>>>
> >>>> Regards,
> >>>> Alex
> >>>>
> >>>>
> >>>>
>
____________________________________________________________
___________
> >>>> Subscription information may be found
at:
> >>>> http://ww
w.groupstudy.com/list/CCIELab.html
> >
> >
> >
____________________________________________________________
___________
> > Subscription information may be found at:
> > http://ww
w.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
>
>
>
> --
> Tyson Scott - CCIE #13513 R&S and Security
> Technical Instructor - IPexpert, Inc.
>
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Mailto: tscottipexpert.com
>
> Join our free online support and peer group
communities:
> http://www.IPexpe
rt.com/communities
>
> IPexpert - The Global Leader in Self-Study,
Classroom-Based, Video On
> Demand and Audio Certification Training Tools for the
Cisco CCIE R&S
> Lab, CCIE Security Lab, CCIE Service Provider Lab ,
CCIE Voice Lab and
> CCIE Storage Lab Certifications.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7
&i=131810&t=131810
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.
groupstudy.com/list/cisco.html