04-17-2009 10:26 AM - edited 03-06-2019 05:15 AM
I have an 1800 series router configured with reflexive ACLs that is working just fine for traffic passing between the internal and external interfaces.
The issue I'm having is that if I ping or use DNS from the ios command line, the traffic doesn't appear to get added to the reflexive ACL for the inbound interface. It's as if traffic from IOS itself bypasses by outbound ACL. How do I resolve this?
if I just put permit ip any any on the inbound ACL, everything works, but that defeats the purpose of my original relexive ACL.
thanks, Simon
04-17-2009 10:29 AM
Simon
"It's as if traffic from IOS itself bypasses by outbound ACL. How do I resolve this?"
This is exactly what happens ie. an outbound acl has no effect on traffic orginated by the router. This is normal behaviour so you don't really resolve it.
Jon
04-17-2009 10:31 AM
Ok, thanks - saved me a lot of time.
Simon
04-17-2009 10:38 AM
Simon
In fact packets generated by the router itself do bypass outbound access lists. I have not been in this particular situation, so I do not have any solution from experience. But it seems to me that you certainly do not want permit ip any any, but perhaps you can develop a list of the things that you do send from the router and put in permits for that specific traffic to that specific destination address. Or perhaps you might put in:
permit ip any host
which would permit only things addressed to the router interface.
HTH
Rick
04-17-2009 10:59 AM
Yes, I plan on constructing ACLs for the specific things I need, mainly DNS. The issue with an ACL for the outside interface is that it's a DHCP enabled WAN port so I don't have the IP address as a constant value.
so for DNS is has to be:
permit udp host
Simon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide