Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

reflexive acl not working

Narayana,

show ip access-lists iptraffic

Reflexive IP access list iptraffic

     permit tcp host 72.5.37.36 eq 443 host 128.59.238.108 eq 4270 (1 match) (time left 299)

thanks

Joseph

We have access lists set up for a remote site. The acls are applied to the following interface:

interface FastEthernet0/0.388
 description IMC LAN
 encapsulation dot1Q 388
 ip address 10.59.238.1 255.255.255.0 secondary
 ip address 128.59.238.1 255.255.255.0
 ip access-group chrys-reflex-inbound in
 ip access-group chrys-reflex-outbound out

The customer is trying to get to 72.5.37.36 - which is a citrix server.  When he initiates an http session to that host, the session times out and he never gets to the login page.  I've confirmed that the server is reachable from other locations.  If I remove the outbound acl from the interface, he is able to  reach the server.

If anyone can offer some insight as to why this is happening it would be greatly appreciated.

ip access-list extended chrys-reflex-inbound
 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 reflect iptraffic
 permit ip 128.59.238.0 0.0.0.255 any reflect iptraffic
 permit ip host 0.0.0.0 any reflect iptraffic
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip any any

ip access-list extended chrys-reflex-outbound
 permit tcp host 160.43.251.122 any eq 6464
 permit ip host 72.5.37.36 any
 permit tcp host 72.21.162.32 host 128.59.238.24 eq 5745
 permit tcp host 72.21.162.32 host 128.59.238.24 eq 2837
 remark RFA Access
 permit ip 66.151.213.0 0.0.0.255 any
 permit ip 64.74.40.0 0.0.0.255 any
 remark ECI Access
 permit tcp any host 128.59.238.12 eq smtp
 permit tcp any host 128.59.238.24 eq 443
 permit tcp any host 128.59.238.12 eq 443
 permit tcp any host 128.59.238.15 eq 443
 permit tcp any host 128.59.238.15 eq www
 permit tcp 205.228.12.128 0.0.0.127 host 128.59.238.13 eq ftp
 permit tcp 205.228.12.128 0.0.0.127 host 128.59.238.13 eq 443
 permit tcp 199.89.64.128 0.0.0.127 host 128.59.238.13 eq ftp
 permit tcp 199.89.64.128 0.0.0.127 host 128.59.238.13 eq 443
 permit tcp 208.62.27.0 0.0.0.255 any eq 11000
 permit tcp 208.62.27.0 0.0.0.255 any eq 11001
 permit tcp 208.62.27.0 0.0.0.255 any eq 11002
 permit tcp 208.62.27.0 0.0.0.255 any eq 11020
 permit tcp 63.99.207.0 0.0.0.255 any eq 11000
 permit tcp 63.99.207.0 0.0.0.255 any eq 11001
 permit tcp 63.99.207.0 0.0.0.255 any eq 11002
 permit tcp 63.99.207.0 0.0.0.255 any eq 11020
 remark CUIT Access
 permit ip 128.59.59.0 0.0.0.255 any
 permit ip 128.59.39.0 0.0.0.255 any
 permit ip 128.59.31.0 0.0.0.255 any
 permit ip 128.59.30.0 0.0.0.255 any
 permit ip 128.59.192.0 0.0.1.255 any
 permit ip 128.59.138.0 0.0.0.255 any
 permit ip 128.59.239.0 0.0.0.255 any
 permit ip 128.59.197.0 0.0.0.255 any
 remark OOI Access
 permit tcp any host 128.59.238.15 eq 417
 permit tcp any host 128.59.238.15 eq 9003
 permit tcp any host 128.59.238.25 eq 1494
 permit tcp any host 128.59.238.25 eq 443
 permit ip host 67.102.164.43 any
 permit tcp 128.59.213.0 0.0.0.255 any
 permit ip host 128.59.138.128 host 128.59.238.15
 permit tcp host 72.21.162.32 host 128.59.238.15 eq 2837
 permit tcp host 72.21.162.32 host 128.59.238.15 eq 5745
 permit tcp host 72.21.162.34 host 128.59.238.15 eq 2837
 permit tcp host 72.21.162.34 host 128.59.238.15 eq 5745
 remark tradedev.ooi.columbia.edu
 permit tcp any host 128.59.238.13 eq 443
 remark pcanywhere-AIS
 permit tcp host 128.59.240.25 eq 5631 host 128.59.238.14 eq 5631
 permit udp host 128.59.240.25 eq 5632 host 128.59.238.14 eq 5632
 permit ip 10.70.142.0 0.0.0.255 128.59.238.0 0.0.0.255
 permit udp host 72.5.37.78 any eq non500-isakmp
 permit udp host 72.5.37.78 any eq isakmp
 permit esp host 72.5.37.78 any
 permit ahp host 72.5.37.78 any
 permit tcp any host 128.59.238.50 eq smtp
 permit tcp any host 128.59.238.34 eq www
 permit tcp any host 128.59.238.34 eq 443
 permit ip any host 128.59.238.28
 permit ip host 64.80.108.81 host 128.59.238.51
 permit tcp any host 128.59.238.48 eq www
 permit tcp any host 128.59.238.48 eq 443
 evaluate iptraffic 
 deny   ip any any
5 REPLIES
Cisco Employee

relexive acl not working

Hi Joseph,

Please provide the show output of access-list 'iptraffic'.

Thanks,

Narayana

New Member

relexive acl not working

Narayana,

show ip access-lists iptraffic

Reflexive IP access list iptraffic

     permit tcp host 72.5.37.36 eq 443 host 128.59.238.108 eq 4270 (1 match) (time left 299)

thanks

Joseph

Cisco Employee

reflexive acl not working

Hi Joseph,

Please let me know what is the source IP from which you are trying to access the citrix server.

Thanks,

Narayana

New Member

reflexive acl not working

Naranya,

The source ip was 128.59.238.108.  I'll be going to the site tomorrow to try some packet captures.  If there is any other information you think might be useful, let me know.  Thanks for your time.

Joe

Cisco Employee

reflexive acl not working

Hi Joe,

I do not see any reason why the traffic flow should not work when you have the outbound access-list applied on interface. If you are able to find something from packet captures please post it.

Thanks,

Narayana

739
Views
0
Helpful
5
Replies
CreatePlease to create content