Reflective ACL

Discussion in 'Cisco' started by Gordon Montgomery, Jun 21, 2005.

  1. I changed routers from a 2611 running 12.2 to a 2811 running
    12.3(11)T3. I moved the 16 port async module from the 2611 to
    the 2811 and used the same programming for the ports. I can
    successfully connect to the external modems connected to the
    async ports and I can ping around the internal network just fine.
    However when I try to ping outside the router, it fails. I use ACL's
    for in and out. The out's last line ( after many specific deny's ) is
    a permit ip any any reflect listname. It worked just fine on the
    2611, but I never see an entry in the reflective list at all. If I disable
    the ACL's, I can successfully ping outside the router, but of course
    that leaves my network wide open. Is this a bug or am I missing
    something that changed between the versions?

    Thanks,


    Gordon Montgomery
    Living Scriptures, Inc
    (anti spam - replace lsi with livingscriptures)
    (801) 627-2000
     
    Gordon Montgomery, Jun 21, 2005
    #1
    1. Advertising

  2. Gordon Montgomery

    aservin Guest

    Can we see the configuration of the interface and the ACL?

    -asn
     
    aservin, Jun 22, 2005
    #2
    1. Advertising

  3. In article <>, "aservin" <> wrote:
    >Can we see the configuration of the interface and the ACL?
    >
    >-asn
    >


    Sure, but it's long.....



    !
    interface FastEthernet0/0
    ip address A.B.C.1 255.255.255.0
    duplex half
    speed auto
    !
    interface FastEthernet0/1
    ip address 10.0.10.1 255.255.255.0
    shutdown
    duplex half
    speed auto
    !
    interface Serial0/0/0
    description Broadband
    ip address A.B.D.46 255.255.255.252
    ip access-group broadfilterin in
    ip access-group broadoutjjok out
    crypto map SDM_CMAP_1
    !
    interface Async1/0
    ip unnumbered FastEthernet0/0
    encapsulation ppp
    async mode interactive
    peer default ip address A.B.C.239
    ppp authentication chap
    routing dynamic
    !
    interface Async1/1
    ip unnumbered FastEthernet0/0
    encapsulation ppp
    async dynamic routing
    async mode interactive
    peer default ip address A.B.C.240
    ppp authentication chap ms-chap pap
    !
    interface Async1/2
    ip unnumbered FastEthernet0/0
    encapsulation ppp
    async dynamic routing
    async mode interactive
    peer default ip address A.B.C.241
    ppp authentication chap ms-chap pap
    !


    And the ACL's


    ip access-list extended broadfilterin
    ;
    ; Deny private ip
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 255.0.0.0 0.255.255.255 any
    deny ip 224.0.0.0 7.255.255.255 any
    deny ip host 0.0.0.0 any
    ;
    ; Deny our own spoofed addresses
    deny ip A.B.C.0 0.0.0.255 any
    ;
    ; Deny some microsoft holes
    deny tcp any any eq 135
    deny udp any any eq 135
    deny tcp any any eq 445
    deny tcp any any eq 593
    ;
    ; Main Servers
    permit tcp any host A.B.C.10 eq ftp
    permit tcp any host A.B.C.30 eq www
    permit tcp any host A.B.C.30 eq 443
    permit tcp any host A.B.C.14 eq www
    permit tcp any host A.B.C.14 eq 443
    permit tcp any host A.B.C.45 eq ftp
    permit tcp any host A.B.C.34 eq www
    permit tcp any host A.B.C.46 eq www
    permit tcp any host A.B.C.46 eq 443
    permit tcp any host A.B.C.49 eq www
    permit tcp any host A.B.C.49 eq 443
    permit tcp any host A.B.C.47 eq www
    permit tcp any host A.B.C.37 eq www
    permit tcp any host A.B.C.37 eq ftp
    permit tcp any host A.B.C.38 eq www
    permit tcp any host A.B.C.39 eq www
    permit tcp any host A.B.C.31 eq www
    permit tcp any host A.B.C.31 eq ftp
    permit tcp any host A.B.C.41 eq ftp
    permit tcp any host A.B.C.41 eq www
    ;
    ; Nameservers
    permit udp any host A.B.C.10 eq domain
    permit udp any host A.B.C.11 eq domain
    permit udp any eq domain host A.B.C.10
    permit udp any eq domain host A.B.C.11
    ;
    ; Mail Servers
    permit tcp any host A.B.C.14 eq pop3
    permit tcp any host A.B.C.14 eq smtp
    permit tcp any eq smtp host A.B.C.12
    permit tcp any eq smtp host A.B.C.77
    permit tcp any eq smtp host A.B.C.10
    permit tcp any eq smtp host A.B.C.15
    permit tcp any eq smtp host A.B.C.14
    permit icmp any any unreachable
    permit icmp any any ttl-exceeded
    permit icmp any any traceroute
    permit udp any any eq ntp
    ;
    ; Check for outgoing connections
    evaluate broadnetout




    ip access-list extended broadoutjjok
    ;
    ; Deny private ips from leaving
    deny ip 192.168.0.0 0.0.255.255 any log
    deny ip 172.16.0.0 0.15.255.255 any log
    deny ip 10.0.0.0 0.255.255.255 any log
    deny ip any 192.168.0.0 0.0.255.255 log
    deny ip any 172.16.0.0 0.15.255.255 log
    deny ip any 10.0.0.0 0.255.255.255 log
    ;
    ; Deny some microsoft holes
    deny tcp any any eq 135 log
    deny udp any any eq 135 log
    deny tcp any any eq 137 log
    deny udp any any eq 137
    deny tcp any any eq 445 log
    deny tcp any any eq 593 log
    ; Permit Main Servers and services
    permit tcp host A.B.C.14 eq www any
    permit tcp host A.B.C.14 eq 443 any
    permit tcp host A.B.C.30 eq www any
    permit tcp host A.B.C.30 eq 443 any
    permit tcp host A.B.C.34 eq www any
    permit tcp host A.B.C.46 eq www any
    permit tcp host A.B.C.46 eq 443 any
    permit tcp host A.B.C.47 eq www any
    permit tcp host A.B.C.37 eq www any
    permit tcp host A.B.C.37 eq ftp any
    permit tcp host A.B.C.38 eq www any
    permit tcp host A.B.C.39 eq www any
    permit udp host A.B.C.10 eq domain any
    permit udp host A.B.C.11 eq domain any
    permit udp host A.B.C.11 any eq domain
    permit udp host A.B.C.10 any eq domain
    permit tcp host A.B.C.12 eq smtp any
    permit tcp host A.B.C.12 eq pop3 any
    permit tcp host A.B.C.41 eq www any
    ; Only let main mail servers out on SMTP
    permit tcp host A.B.C.14 any eq SMTP
    permit tcp host A.B.C.14 eq SMTP any
    permit tcp host A.B.C.10 any eq SMTP
    permit tcp host A.B.C.12 any eq SMTP
    permit tcp host A.B.C.15 any eq SMTP
    permit tcp host A.B.C.15 eq SMTP any
    permit tcp host A.B.C.45 any eq SMTP
    permit tcp host A.B.C.77 any eq SMTP
    deny tcp any any eq SMTP log
    ; Permit everything else
    permit ip any any reflect broadnetout


    The difference between Async1/0 and the others is just me
    trying different configs. They all were identical. This config
    was working great on the 2611.

    Thanks,


    Gordon Montgomery
    Living Scriptures, Inc
    (anti spam - replace lsi with livingscriptures)
    (801) 627-2000
     
    Gordon Montgomery, Jun 22, 2005
    #3
  4. Gordon Montgomery

    aservin Guest

    In broadfilterin you are not allowing ICMP. Even the packet "leave" the
    network, you must have a permit statment to let it in, the icmp is
    different to TCP and UDP, there you just allowed the leaving and the
    router "learns" about and when the packet goes back it is allowed
    automatically, with ICMP is not. This is only valid to reflexive ACL.

    -as
     
    aservin, Jun 23, 2005
    #4
  5. Re: Reflexive ACL

    In article <>, "aservin" <> wrote:
    >In broadfilterin you are not allowing ICMP. Even the packet "leave" the
    >network, you must have a permit statment to let it in, the icmp is
    >different to TCP and UDP, there you just allowed the leaving and the
    >router "learns" about and when the packet goes back it is allowed
    >automatically, with ICMP is not. This is only valid to reflexive ACL.
    >
    >-as
    >

    Did something change between the 2611 @ ver 12.2 and the 2811
    @ ver 12.3? Because those lists and ports worked just fine on the
    2611. It is not just ICMP that is stopped now, nothing from the ASYNC
    ports gets inserted into the reflexive list at all. I'm inclined to call
    it a bug and open a TAC case for it. I just thought I would check
    here first.

    Thanks,


    Gordon Montgomery
    Living Scriptures, Inc
    (anti spam - replace lsi with livingscriptures)
    (801) 627-2000
     
    Gordon Montgomery, Jun 23, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shad T
    Replies:
    0
    Views:
    794
    Shad T
    Jun 29, 2004
  2. Tarek Hamdy
    Replies:
    7
    Views:
    3,155
    Tarek Hamdy
    Sep 16, 2004
  3. Vimokh
    Replies:
    3
    Views:
    5,935
    Vimokh
    Sep 6, 2006
  4. Bucky

    where to buy non reflective glass?

    Bucky, Aug 26, 2005, in forum: Digital Photography
    Replies:
    33
    Views:
    1,349
    Dan Wojciechowski
    Aug 31, 2005
  5. JF Mezei
    Replies:
    1
    Views:
    1,184
Loading...

Share This Page