Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Problem with reflect list

Reply
Thread Tools

Problem with reflect list

 
 
jonr944@hotmail.com
Guest
Posts: n/a
 
      06-03-2005
Hi all,

I've just started learning IOS and have run into a brick wall already..
I'm currently playing with reflexive access lists and have setup a
simple example but i can't seem to get it to allow packets back in the
network (I think).

Anyway, here's my config (excuse the mess of it, I'm new and it's only
being used on my subnet )

Current configuration : 1273 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Border
!
enable secret 5 $1$s7f8$/xk5kaC6jLSyVy9pMBN/x.
!
ip subnet-zero
no ip source-route
!
!
ip domain-name test.org
!use netgear adsl router as dns server
ip name-server 192.168.0.1
!
ip reflexive-list timeout 200
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description External interface
ip address 192.168.0.100 255.255.255.0
ip access-group infilter in
ip access-group outfilter out
no ip unreachables
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no ip unreachables
shutdown
duplex auto
speed auto
no cdp enable
!
router rip
network 192.168.0.0
network 192.168.1.0
!
ip classless
no ip http server
!
!
ip access-list extended infilter
evaluate tmprlist
deny ip any any log
ip access-list extended outfilter
permit ip any any reflect tmprlist
deny ip any any log
ip access-list extended outlist
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 30 0
line aux 0
line vty 0
password 7 011D0906590E14
login
line vty 1
password 7 011E0F0A5C0E
login
transport input telnet
line vty 2 4
password 7 082F434C0B1C17
login
!
end


OK I know there's lots wrong in there but what is stopping the
reflexive lists working?

If I ping out I get:
Border#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
..
00:18:26: %SEC-6-IPACCESSLOGDP: list infilter denied icmp 192.168.0.1
-> 192.168
..0.100 (0/0), 1 packet....
Success rate is 0 percent (0/5)

Which seems to suggest the packet got out, but wasn't allowed back.
This might be handy too:
Border#sh access-lists
Extended IP access list infilter
evaluate tmprlist
deny ip any any log (59 matches)
Extended IP access list outfilter
permit ip any any reflect tmprlist
deny ip any any log
Extended IP access list outlist
Reflexive IP access list tmprlist


If anyone can tell me my n00b mistake, i'd be most greatful.. It's
driving me nuts

Thanks!!

Jon

 
Reply With Quote
 
 
 
 
TC
Guest
Posts: n/a
 
      06-04-2005
You are trying to ping from the local router. The reflexive list does only
seem to work with traffic passing through the router, not with traffic
originated locally .

/TC

<(E-Mail Removed)> skrev i meddelandet
news:(E-Mail Removed) oups.com...
> Hi all,
>
> I've just started learning IOS and have run into a brick wall already..
> I'm currently playing with reflexive access lists and have setup a
> simple example but i can't seem to get it to allow packets back in the
> network (I think).
>
> Anyway, here's my config (excuse the mess of it, I'm new and it's only
> being used on my subnet )
>
> Current configuration : 1273 bytes
> !
> version 12.2
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname Border
> !
> enable secret 5 $1$s7f8$/xk5kaC6jLSyVy9pMBN/x.
> !
> ip subnet-zero
> no ip source-route
> !
> !
> ip domain-name test.org
> !use netgear adsl router as dns server
> ip name-server 192.168.0.1
> !
> ip reflexive-list timeout 200
> call rsvp-sync
> !
> !
> !
> !
> !
> !
> !
> !
> interface FastEthernet0/0
> description External interface
> ip address 192.168.0.100 255.255.255.0
> ip access-group infilter in
> ip access-group outfilter out
> no ip unreachables
> duplex auto
> speed auto
> no cdp enable
> !
> interface FastEthernet0/1
> ip address 192.168.1.1 255.255.255.0
> no ip unreachables
> shutdown
> duplex auto
> speed auto
> no cdp enable
> !
> router rip
> network 192.168.0.0
> network 192.168.1.0
> !
> ip classless
> no ip http server
> !
> !
> ip access-list extended infilter
> evaluate tmprlist
> deny ip any any log
> ip access-list extended outfilter
> permit ip any any reflect tmprlist
> deny ip any any log
> ip access-list extended outlist
> !
> dial-peer cor custom
> !
> !
> !
> !
> !
> line con 0
> exec-timeout 30 0
> line aux 0
> line vty 0
> password 7 011D0906590E14
> login
> line vty 1
> password 7 011E0F0A5C0E
> login
> transport input telnet
> line vty 2 4
> password 7 082F434C0B1C17
> login
> !
> end
>
>
> OK I know there's lots wrong in there but what is stopping the
> reflexive lists working?
>
> If I ping out I get:
> Border#ping 192.168.0.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
> .
> 00:18:26: %SEC-6-IPACCESSLOGDP: list infilter denied icmp 192.168.0.1
> -> 192.168
> .0.100 (0/0), 1 packet....
> Success rate is 0 percent (0/5)
>
> Which seems to suggest the packet got out, but wasn't allowed back.
> This might be handy too:
> Border#sh access-lists
> Extended IP access list infilter
> evaluate tmprlist
> deny ip any any log (59 matches)
> Extended IP access list outfilter
> permit ip any any reflect tmprlist
> deny ip any any log
> Extended IP access list outlist
> Reflexive IP access list tmprlist
>
>
> If anyone can tell me my n00b mistake, i'd be most greatful.. It's
> driving me nuts
>
> Thanks!!
>
> Jon
>



 
Reply With Quote
 
 
 
 
aservin
Guest
Posts: n/a
 
      06-05-2005
The reflective ACLs make the router act as a statefull FW. You need to
permit the ICMP in the in ACL, now you are denying everything from the
outside. Because the router does not reconigze the ICMP echo reply as a
response of the echo origininated from your network. For TCP and UDP
you do not need to permit traffic since you are doing from the out ACL.
The case is that ICMP is like an exception, so you need to permit it.

-as

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help me, problem with java.lang.reflect.Field Nicky Java 3 01-25-2007 09:21 AM
do the microsoft books and exams reflect the SP1 ? Simo Sentissi MCSE 1 07-16-2005 10:16 PM
Re: Making the address bar reflect teh address of the main frame Raterus ASP .Net 0 06-02-2004 08:08 PM
Problem with java.lang.reflect.Proxy Nikita A. Visnevski Java 1 04-22-2004 01:33 PM
Data Grid does not reflect an update or insert. Sunil Thomas ASP .Net 0 09-29-2003 06:59 PM



Advertisments