hello, I'm testing reflective access-lists.
I've got 3 routers R1 R2 and R6.
R1 is the central router, and this is it's relevant config:
interface serial1/0 --> to R2
ip access-group PING-IN in
ip access-group PING-OUT out
ip access-list extended PING-IN
deny icmp any any log
permit ip any any
ip access-list extended PING-OUT
permit icmp any any reflect ICMP-REFLECT timeout 15
permit ip any any
Now, R6 is connected to R1 serial 1/2 and is to be considere internal, where R2 is connected to Serial 1/0 and has to be considered external.
As you can see a ping from R6 to R2 would allow R2 to ping R6 within 15 seconds. Or at least this is what I would like to achieve.
For some reason, I always get a U.U.U pinging from R2.
I've tried to enable debug on R1:
ICMP: dst (192.168.2.6) administratively prohibited unreachable sent to 192.168.0.2
These Ip are the serial interface IPs on R6 and R2.
Checking the access-list
show ip access-list
I can see that the source/destination IP in the reflective acle are different (using loopbacks). Than I tried to specify the source IP as ping paramenter, but still no luck!
This problem is only the ping out from R6 to R2. Pinging R2 from R6 always work.
I've found many examples of reflective acl, and comparing them with mine I don't see any difference.
I'm just trying to figure out what I'm doing wrong...
Your configuration looks good!!
Your existing setup should allow you to ping R2 from R6. You won't be able to ping R6 from R2.
R1 would evaluate ICMP traffic originated from internal (R6) network and reflexive ACL will let the icmp echo-replies from R2 back to R6.
If you are still having problems then can you post the entire configuration of all 3 routers and clarify from which address you are pinging to what address.