Reflexive access-list is working bad

Unanswered Question
Apr 3rd, 2009

Hello!

I need to setup stateful firewall in cisco ios. I've set up reflexive access list.

Config very simple.

ip access-list extended ref-acl-in

evaluate ref-acl

ip access-list extended ref-acl-out

permit ip any any reflect ref-acl

!

interface Vlan12

ip address 10.68.0.1 255.255.0.0

ip access-group ref-acl-in in

ip access-group ref-acl-out out

!

Interface vlan 12 is (outer) vlan. I want to deny any incoming connections from this vlan.

After setup I was checking

C:\>ping 10.68.0.2

Pinging 10.68.0.2 with 32 bytes of data:

Reply from 10.68.0.2: bytes=32 time=154ms TTL=126

Reply from 10.68.0.2: bytes=32 time=139ms TTL=126

Request timed out.

Request timed out.

Ping statistics for 10.68.0.2:

Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),

Approximate round trip times in milli-seconds:

Minimum = 139ms, Maximum = 154ms, Average = 146ms

It's strange. Losses in traffic.

I'm check access-lists. See (my address is 10.30.0.144):

Reflexive IP access list ref-acl

permit icmp host 10.68.0.2 host 10.67.10.251 (7 matches) (time left 299)

permit icmp host 10.68.0.2 host 10.67.1.252 (100 matches) (time left 235)

permit icmp host 10.68.0.2 host 10.30.8.65 (956 matches) (time left 299)

permit icmp host 10.68.0.2 host 10.30.0.144 (51 matches) (time left 299)

Extended IP access list ref-acl-in

10 evaluate ref-acl

Extended IP access list ref-acl-out

10 permit ip any any reflect ref-acl (575 matches)

Without acl ping working fine:

C:\>ping 10.68.0.2

Pinging 10.68.0.2 with 32 bytes of data:

Reply from 10.68.0.2: bytes=32 time=104ms TTL=126

Reply from 10.68.0.2: bytes=32 time=129ms TTL=126

Reply from 10.68.0.2: bytes=32 time=132ms TTL=126

Reply from 10.68.0.2: bytes=32 time=82ms TTL=126

Ping statistics for 10.68.0.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 82ms, Maximum = 132ms, Average = 111ms

So. I think remove reflexive acl by ip inspect? Or I was wrong?

Regards,

Pavel

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pavelsh_ucs Fri, 04/03/2009 - 09:28

Thank you for response.

My ping responds from time to time.

Why ping should stop responding?

It's responding. But from time to time.

I don't want write about icmp in my acl rules because I want to test how works reflexive acl. I can test it by ping only.

ralphcarter Fri, 04/03/2009 - 09:41

Where is the box connected from where you ping this IP?

Meaning, you need to see if it is actually inbound or outbound. If you have a switch and 2 pcs connected to this switch.

PC2 in vlan 2 and PC3 on vlan 3. PC2 wants to ping PC3.

PC2 sends packet inbound on its port or interface vlan and then this goes outbound to the port PC3 is connected on or the interface vlan.

So you need to check this properly and then see how the acl works.

Actions

This Discussion