Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
3
Replies

Reflexive access-list is working bad

pavelsh_ucs
Level 1
Level 1

‎04-03-2009 07:50 AM - edited ‎03-04-2019 04:13 AM

Hello!

I need to setup stateful firewall in cisco ios. I've set up reflexive access list.

Config very simple.

ip access-list extended ref-acl-in

evaluate ref-acl

ip access-list extended ref-acl-out

permit ip any any reflect ref-acl

!

interface Vlan12

ip address 10.68.0.1 255.255.0.0

ip access-group ref-acl-in in

ip access-group ref-acl-out out

!

Interface vlan 12 is (outer) vlan. I want to deny any incoming connections from this vlan.

After setup I was checking

C:\>ping 10.68.0.2

Pinging 10.68.0.2 with 32 bytes of data:

Reply from 10.68.0.2: bytes=32 time=154ms TTL=126

Reply from 10.68.0.2: bytes=32 time=139ms TTL=126

Request timed out.

Request timed out.

Ping statistics for 10.68.0.2:

Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),

Approximate round trip times in milli-seconds:

Minimum = 139ms, Maximum = 154ms, Average = 146ms

It's strange. Losses in traffic.

I'm check access-lists. See (my address is 10.30.0.144):

Reflexive IP access list ref-acl

permit icmp host 10.68.0.2 host 10.67.10.251 (7 matches) (time left 299)

permit icmp host 10.68.0.2 host 10.67.1.252 (100 matches) (time left 235)

permit icmp host 10.68.0.2 host 10.30.8.65 (956 matches) (time left 299)

permit icmp host 10.68.0.2 host 10.30.0.144 (51 matches) (time left 299)

Extended IP access list ref-acl-in

10 evaluate ref-acl

Extended IP access list ref-acl-out

10 permit ip any any reflect ref-acl (575 matches)

Without acl ping working fine:

C:\>ping 10.68.0.2

Pinging 10.68.0.2 with 32 bytes of data:

Reply from 10.68.0.2: bytes=32 time=104ms TTL=126

Reply from 10.68.0.2: bytes=32 time=129ms TTL=126

Reply from 10.68.0.2: bytes=32 time=132ms TTL=126

Reply from 10.68.0.2: bytes=32 time=82ms TTL=126

Ping statistics for 10.68.0.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 82ms, Maximum = 132ms, Average = 111ms

So. I think remove reflexive acl by ip inspect? Or I was wrong?

Regards,

Pavel

Labels:
0 Helpful
3 Replies 3

ralphcarter
Level 1
Level 1

‎04-03-2009 09:22 AM

Sorry didnt read your post correctly :)

CCIE 26175
www.techsnips.com
0 Helpful

pavelsh_ucs
Level 1
Level 1
In response to ralphcarter

‎04-03-2009 09:28 AM

Thank you for response.

My ping responds from time to time.

Why ping should stop responding?

It's responding. But from time to time.

I don't want write about icmp in my acl rules because I want to test how works reflexive acl. I can test it by ping only.

0 Helpful

ralphcarter
Level 1
Level 1
In response to pavelsh_ucs

‎04-03-2009 09:41 AM

Where is the box connected from where you ping this IP?

Meaning, you need to see if it is actually inbound or outbound. If you have a switch and 2 pcs connected to this switch.

PC2 in vlan 2 and PC3 on vlan 3. PC2 wants to ping PC3.

PC2 sends packet inbound on its port or interface vlan and then this goes outbound to the port PC3 is connected on or the interface vlan.

So you need to check this properly and then see how the acl works.

CCIE 26175
www.techsnips.com
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card