Problem with reflect list

Discussion in 'Cisco' started by jonr944@hotmail.com, Jun 3, 2005.

  1. Guest

    Hi all,

    I've just started learning IOS and have run into a brick wall already..
    I'm currently playing with reflexive access lists and have setup a
    simple example but i can't seem to get it to allow packets back in the
    network (I think).

    Anyway, here's my config (excuse the mess of it, I'm new and it's only
    being used on my subnet :))

    Current configuration : 1273 bytes
    !
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Border
    !
    enable secret 5 $1$s7f8$/xk5kaC6jLSyVy9pMBN/x.
    !
    ip subnet-zero
    no ip source-route
    !
    !
    ip domain-name test.org
    !use netgear adsl router as dns server
    ip name-server 192.168.0.1
    !
    ip reflexive-list timeout 200
    call rsvp-sync
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    description External interface
    ip address 192.168.0.100 255.255.255.0
    ip access-group infilter in
    ip access-group outfilter out
    no ip unreachables
    duplex auto
    speed auto
    no cdp enable
    !
    interface FastEthernet0/1
    ip address 192.168.1.1 255.255.255.0
    no ip unreachables
    shutdown
    duplex auto
    speed auto
    no cdp enable
    !
    router rip
    network 192.168.0.0
    network 192.168.1.0
    !
    ip classless
    no ip http server
    !
    !
    ip access-list extended infilter
    evaluate tmprlist
    deny ip any any log
    ip access-list extended outfilter
    permit ip any any reflect tmprlist
    deny ip any any log
    ip access-list extended outlist
    !
    dial-peer cor custom
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 30 0
    line aux 0
    line vty 0
    password 7 011D0906590E14
    login
    line vty 1
    password 7 011E0F0A5C0E
    login
    transport input telnet
    line vty 2 4
    password 7 082F434C0B1C17
    login
    !
    end


    OK I know there's lots wrong in there but what is stopping the
    reflexive lists working?

    If I ping out I get:
    Border#ping 192.168.0.1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
    ..
    00:18:26: %SEC-6-IPACCESSLOGDP: list infilter denied icmp 192.168.0.1
    -> 192.168
    ..0.100 (0/0), 1 packet....
    Success rate is 0 percent (0/5)

    Which seems to suggest the packet got out, but wasn't allowed back.
    This might be handy too:
    Border#sh access-lists
    Extended IP access list infilter
    evaluate tmprlist
    deny ip any any log (59 matches)
    Extended IP access list outfilter
    permit ip any any reflect tmprlist
    deny ip any any log
    Extended IP access list outlist
    Reflexive IP access list tmprlist


    If anyone can tell me my n00b mistake, i'd be most greatful.. It's
    driving me nuts :)

    Thanks!!

    Jon
    , Jun 3, 2005
    #1
    1. Advertising

  2. TC Guest

    You are trying to ping from the local router. The reflexive list does only
    seem to work with traffic passing through the router, not with traffic
    originated locally .

    /TC

    <> skrev i meddelandet
    news:...
    > Hi all,
    >
    > I've just started learning IOS and have run into a brick wall already..
    > I'm currently playing with reflexive access lists and have setup a
    > simple example but i can't seem to get it to allow packets back in the
    > network (I think).
    >
    > Anyway, here's my config (excuse the mess of it, I'm new and it's only
    > being used on my subnet :))
    >
    > Current configuration : 1273 bytes
    > !
    > version 12.2
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > !
    > hostname Border
    > !
    > enable secret 5 $1$s7f8$/xk5kaC6jLSyVy9pMBN/x.
    > !
    > ip subnet-zero
    > no ip source-route
    > !
    > !
    > ip domain-name test.org
    > !use netgear adsl router as dns server
    > ip name-server 192.168.0.1
    > !
    > ip reflexive-list timeout 200
    > call rsvp-sync
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > interface FastEthernet0/0
    > description External interface
    > ip address 192.168.0.100 255.255.255.0
    > ip access-group infilter in
    > ip access-group outfilter out
    > no ip unreachables
    > duplex auto
    > speed auto
    > no cdp enable
    > !
    > interface FastEthernet0/1
    > ip address 192.168.1.1 255.255.255.0
    > no ip unreachables
    > shutdown
    > duplex auto
    > speed auto
    > no cdp enable
    > !
    > router rip
    > network 192.168.0.0
    > network 192.168.1.0
    > !
    > ip classless
    > no ip http server
    > !
    > !
    > ip access-list extended infilter
    > evaluate tmprlist
    > deny ip any any log
    > ip access-list extended outfilter
    > permit ip any any reflect tmprlist
    > deny ip any any log
    > ip access-list extended outlist
    > !
    > dial-peer cor custom
    > !
    > !
    > !
    > !
    > !
    > line con 0
    > exec-timeout 30 0
    > line aux 0
    > line vty 0
    > password 7 011D0906590E14
    > login
    > line vty 1
    > password 7 011E0F0A5C0E
    > login
    > transport input telnet
    > line vty 2 4
    > password 7 082F434C0B1C17
    > login
    > !
    > end
    >
    >
    > OK I know there's lots wrong in there but what is stopping the
    > reflexive lists working?
    >
    > If I ping out I get:
    > Border#ping 192.168.0.1
    >
    > Type escape sequence to abort.
    > Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
    > .
    > 00:18:26: %SEC-6-IPACCESSLOGDP: list infilter denied icmp 192.168.0.1
    > -> 192.168
    > .0.100 (0/0), 1 packet....
    > Success rate is 0 percent (0/5)
    >
    > Which seems to suggest the packet got out, but wasn't allowed back.
    > This might be handy too:
    > Border#sh access-lists
    > Extended IP access list infilter
    > evaluate tmprlist
    > deny ip any any log (59 matches)
    > Extended IP access list outfilter
    > permit ip any any reflect tmprlist
    > deny ip any any log
    > Extended IP access list outlist
    > Reflexive IP access list tmprlist
    >
    >
    > If anyone can tell me my n00b mistake, i'd be most greatful.. It's
    > driving me nuts :)
    >
    > Thanks!!
    >
    > Jon
    >
    TC, Jun 4, 2005
    #2
    1. Advertising

  3. aservin Guest

    The reflective ACLs make the router act as a statefull FW. You need to
    permit the ICMP in the in ACL, now you are denying everything from the
    outside. Because the router does not reconigze the ICMP echo reply as a
    response of the echo origininated from your network. For TCP and UDP
    you do not need to permit traffic since you are doing from the out ACL.
    The case is that ICMP is like an exception, so you need to permit it.

    -as
    aservin, Jun 5, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dan
    Replies:
    2
    Views:
    466
    Dan C
    May 10, 2005
  2. Holger Isenberg
    Replies:
    0
    Views:
    775
    Holger Isenberg
    Nov 19, 2003
  3. PS2 gamer
    Replies:
    6
    Views:
    6,786
    Hansang Bae
    Jun 9, 2004
  4. Simo Sentissi
    Replies:
    1
    Views:
    396
    Bryce
    Jul 16, 2005
  5. Old Rookie

    Transcript update to reflect MCITP ??

    Old Rookie, Aug 5, 2009, in forum: MCITP
    Replies:
    3
    Views:
    3,510
    Old Rookie
    Aug 6, 2009
Loading...

Share This Page