Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Revlexive Access List and locally generated traffic and this scenario

R1 and R2 connected through Ethernet cable (12.0.0.1 and 12.0.0.2 respectively)

Part of the configuration is this :

R1#show run

Building configuration...

Current configuration : 869 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname R1

!

enable password xxx

!

ip subnet-zero

!

!

!

!

!

!

interface Loopback0

ip address 1.1.x.x.x.255.255

!

interface FastEthernet0/0

ip address 12.x.x.x.0.0.0

ip access-group INBOUND in

ip access-group OUTBOUND out

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

interface Serial0/1

no ip address

shutdown

!

ip classless

no ip http server

ip pim bidir-enable

!

!

ip access-list extended INBOUND

permit icmp host 12.0.0.2 host 12.0.0.1 echo-reply

permit tcp any any eq telnet--------------I added this

evaluate GOODGUYS

ip access-list extended OUTBOUND

permit tcp any any reflect GOODGUYS

permit udp any any reflect GOODGUYS

permit icmp any any reflect GOODGUYS

!

line con 0

line aux 0

line vty 0 4

password xxxx

login

!

end

An important point to note about reflexive access-lists and CBAC is that

an outbound access-list does not affect traffic locally generated by the router.

This means that traffic the router originates (routing protocol traffic, telnet, ping,

etc) will not get evaluated.

There are two choices to deal with this problem. You can either explicitly permit this traffic to return (I am consider ting on this), or you can policy route all locally generated traffic to another local interface first. The first method is easier, and the second is potentially more secure.

Why won’t adding this line be useful for a successful telnet ?

3 REPLIES
New Member

Re: Revlexive Access List and locally generated traffic and this

Any help ?

New Member

Re: Revlexive Access List and locally generated traffic and this

hi there u cannot inspect traffic generated by the router itsefl. for that u have to implment the acls on the other router's interface.

sebastan

New Member

Re: Revlexive Access List and locally generated traffic and this

"hi there u cannot inspect traffic generated by the router itsefl. for that u have to implment the acls on the other router's interface"

I did not get what you meants, could you kindly explain more.

Thanks

183
Views
0
Helpful
3
Replies