Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Reflective ACL

Reply
Thread Tools

Reflective ACL

 
 
Gordon Montgomery
Guest
Posts: n/a
 
      06-21-2005
I changed routers from a 2611 running 12.2 to a 2811 running
12.3(11)T3. I moved the 16 port async module from the 2611 to
the 2811 and used the same programming for the ports. I can
successfully connect to the external modems connected to the
async ports and I can ping around the internal network just fine.
However when I try to ping outside the router, it fails. I use ACL's
for in and out. The out's last line ( after many specific deny's ) is
a permit ip any any reflect listname. It worked just fine on the
2611, but I never see an entry in the reflective list at all. If I disable
the ACL's, I can successfully ping outside the router, but of course
that leaves my network wide open. Is this a bug or am I missing
something that changed between the versions?

Thanks,


Gordon Montgomery
Living Scriptures, Inc
http://www.velocityreviews.com/forums/(E-Mail Removed) (anti spam - replace lsi with livingscriptures)
(801) 627-2000
 
Reply With Quote
 
 
 
 
aservin
Guest
Posts: n/a
 
      06-22-2005
Can we see the configuration of the interface and the ACL?

-asn

 
Reply With Quote
 
 
 
 
Gordon Montgomery
Guest
Posts: n/a
 
      06-22-2005
In article <(E-Mail Removed). com>, "aservin" <(E-Mail Removed)> wrote:
>Can we see the configuration of the interface and the ACL?
>
>-asn
>


Sure, but it's long.....



!
interface FastEthernet0/0
ip address A.B.C.1 255.255.255.0
duplex half
speed auto
!
interface FastEthernet0/1
ip address 10.0.10.1 255.255.255.0
shutdown
duplex half
speed auto
!
interface Serial0/0/0
description Broadband
ip address A.B.D.46 255.255.255.252
ip access-group broadfilterin in
ip access-group broadoutjjok out
crypto map SDM_CMAP_1
!
interface Async1/0
ip unnumbered FastEthernet0/0
encapsulation ppp
async mode interactive
peer default ip address A.B.C.239
ppp authentication chap
routing dynamic
!
interface Async1/1
ip unnumbered FastEthernet0/0
encapsulation ppp
async dynamic routing
async mode interactive
peer default ip address A.B.C.240
ppp authentication chap ms-chap pap
!
interface Async1/2
ip unnumbered FastEthernet0/0
encapsulation ppp
async dynamic routing
async mode interactive
peer default ip address A.B.C.241
ppp authentication chap ms-chap pap
!


And the ACL's


ip access-list extended broadfilterin
;
; Deny private ip
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 255.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 7.255.255.255 any
deny ip host 0.0.0.0 any
;
; Deny our own spoofed addresses
deny ip A.B.C.0 0.0.0.255 any
;
; Deny some microsoft holes
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 445
deny tcp any any eq 593
;
; Main Servers
permit tcp any host A.B.C.10 eq ftp
permit tcp any host A.B.C.30 eq www
permit tcp any host A.B.C.30 eq 443
permit tcp any host A.B.C.14 eq www
permit tcp any host A.B.C.14 eq 443
permit tcp any host A.B.C.45 eq ftp
permit tcp any host A.B.C.34 eq www
permit tcp any host A.B.C.46 eq www
permit tcp any host A.B.C.46 eq 443
permit tcp any host A.B.C.49 eq www
permit tcp any host A.B.C.49 eq 443
permit tcp any host A.B.C.47 eq www
permit tcp any host A.B.C.37 eq www
permit tcp any host A.B.C.37 eq ftp
permit tcp any host A.B.C.38 eq www
permit tcp any host A.B.C.39 eq www
permit tcp any host A.B.C.31 eq www
permit tcp any host A.B.C.31 eq ftp
permit tcp any host A.B.C.41 eq ftp
permit tcp any host A.B.C.41 eq www
;
; Nameservers
permit udp any host A.B.C.10 eq domain
permit udp any host A.B.C.11 eq domain
permit udp any eq domain host A.B.C.10
permit udp any eq domain host A.B.C.11
;
; Mail Servers
permit tcp any host A.B.C.14 eq pop3
permit tcp any host A.B.C.14 eq smtp
permit tcp any eq smtp host A.B.C.12
permit tcp any eq smtp host A.B.C.77
permit tcp any eq smtp host A.B.C.10
permit tcp any eq smtp host A.B.C.15
permit tcp any eq smtp host A.B.C.14
permit icmp any any unreachable
permit icmp any any ttl-exceeded
permit icmp any any traceroute
permit udp any any eq ntp
;
; Check for outgoing connections
evaluate broadnetout




ip access-list extended broadoutjjok
;
; Deny private ips from leaving
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip any 192.168.0.0 0.0.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 10.0.0.0 0.255.255.255 log
;
; Deny some microsoft holes
deny tcp any any eq 135 log
deny udp any any eq 135 log
deny tcp any any eq 137 log
deny udp any any eq 137
deny tcp any any eq 445 log
deny tcp any any eq 593 log
; Permit Main Servers and services
permit tcp host A.B.C.14 eq www any
permit tcp host A.B.C.14 eq 443 any
permit tcp host A.B.C.30 eq www any
permit tcp host A.B.C.30 eq 443 any
permit tcp host A.B.C.34 eq www any
permit tcp host A.B.C.46 eq www any
permit tcp host A.B.C.46 eq 443 any
permit tcp host A.B.C.47 eq www any
permit tcp host A.B.C.37 eq www any
permit tcp host A.B.C.37 eq ftp any
permit tcp host A.B.C.38 eq www any
permit tcp host A.B.C.39 eq www any
permit udp host A.B.C.10 eq domain any
permit udp host A.B.C.11 eq domain any
permit udp host A.B.C.11 any eq domain
permit udp host A.B.C.10 any eq domain
permit tcp host A.B.C.12 eq smtp any
permit tcp host A.B.C.12 eq pop3 any
permit tcp host A.B.C.41 eq www any
; Only let main mail servers out on SMTP
permit tcp host A.B.C.14 any eq SMTP
permit tcp host A.B.C.14 eq SMTP any
permit tcp host A.B.C.10 any eq SMTP
permit tcp host A.B.C.12 any eq SMTP
permit tcp host A.B.C.15 any eq SMTP
permit tcp host A.B.C.15 eq SMTP any
permit tcp host A.B.C.45 any eq SMTP
permit tcp host A.B.C.77 any eq SMTP
deny tcp any any eq SMTP log
; Permit everything else
permit ip any any reflect broadnetout


The difference between Async1/0 and the others is just me
trying different configs. They all were identical. This config
was working great on the 2611.

Thanks,


Gordon Montgomery
Living Scriptures, Inc
(E-Mail Removed) (anti spam - replace lsi with livingscriptures)
(801) 627-2000
 
Reply With Quote
 
aservin
Guest
Posts: n/a
 
      06-23-2005
In broadfilterin you are not allowing ICMP. Even the packet "leave" the
network, you must have a permit statment to let it in, the icmp is
different to TCP and UDP, there you just allowed the leaving and the
router "learns" about and when the packet goes back it is allowed
automatically, with ICMP is not. This is only valid to reflexive ACL.

-as

 
Reply With Quote
 
Gordon Montgomery
Guest
Posts: n/a
 
      06-23-2005
In article <(E-Mail Removed). com>, "aservin" <(E-Mail Removed)> wrote:
>In broadfilterin you are not allowing ICMP. Even the packet "leave" the
>network, you must have a permit statment to let it in, the icmp is
>different to TCP and UDP, there you just allowed the leaving and the
>router "learns" about and when the packet goes back it is allowed
>automatically, with ICMP is not. This is only valid to reflexive ACL.
>
>-as
>

Did something change between the 2611 @ ver 12.2 and the 2811
@ ver 12.3? Because those lists and ports worked just fine on the
2611. It is not just ICMP that is stopped now, nothing from the ASYNC
ports gets inserted into the reflexive list at all. I'm inclined to call
it a bug and open a TAC case for it. I just thought I would check
here first.

Thanks,


Gordon Montgomery
Living Scriptures, Inc
(E-Mail Removed) (anti spam - replace lsi with livingscriptures)
(801) 627-2000
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ACL: Reflective versus established JF Mezei Cisco 1 01-24-2010 12:45 PM
where to buy non reflective glass? Bucky Digital Photography 33 08-31-2005 03:36 PM
Cisco 2611 not routing plus reflective access-lists Tarek Hamdy Cisco 7 09-16-2004 07:07 AM
Was: Is this an Bug in python 2.3?? Reflective relational operators Balaji Python 9 06-16-2004 10:30 PM
Kataba Functions 1.0 - 100x faster reflective calls for Java Chris Thiessen Java 0 05-05-2004 05:06 PM



Advertisments