Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

reflective acl

hello, I'm testing reflective access-lists.

I've got 3 routers R1 R2 and R6.

R1 is the central router, and this is it's relevant config:

interface serial1/0 --> to R2

ip access-group PING-IN in

ip access-group PING-OUT out

!

ip access-list extended PING-IN

evaluate ICMP-REFLECT

deny icmp any any log

permit ip any any

ip access-list extended PING-OUT

permit icmp any any reflect ICMP-REFLECT timeout 15

permit ip any any

Now, R6 is connected to R1 serial 1/2 and is to be considere internal, where R2 is connected to Serial 1/0 and has to be considered external.

As you can see a ping from R6 to R2 would allow R2 to ping R6 within 15 seconds. Or at least this is what I would like to achieve.

For some reason, I always get a U.U.U pinging from R2.

I've tried to enable debug on R1:

ICMP: dst (192.168.2.6) administratively prohibited unreachable sent to 192.168.0.2

These Ip are the serial interface IPs on R6 and R2.

Checking the access-list

show ip access-list

I can see that the source/destination IP in the reflective acle are different (using loopbacks). Than I tried to specify the source IP as ping paramenter, but still no luck!

This problem is only the ping out from R6 to R2. Pinging R2 from R6 always work.

I've found many examples of reflective acl, and comparing them with mine I don't see any difference.

I'm just trying to figure out what I'm doing wrong...

1 ACCEPTED SOLUTION

Accepted Solutions

Re: reflective acl

Your configuration looks good!!

Your existing setup should allow you to ping R2 from R6. You won't be able to ping R6 from R2.

R1 would evaluate ICMP traffic originated from internal (R6) network and reflexive ACL will let the icmp echo-replies from R2 back to R6.

If you are still having problems then can you post the entire configuration of all 3 routers and clarify from which address you are pinging to what address.

HTH

Sundar

3 REPLIES

Re: reflective acl

Your configuration looks good!!

Your existing setup should allow you to ping R2 from R6. You won't be able to ping R6 from R2.

R1 would evaluate ICMP traffic originated from internal (R6) network and reflexive ACL will let the icmp echo-replies from R2 back to R6.

If you are still having problems then can you post the entire configuration of all 3 routers and clarify from which address you are pinging to what address.

HTH

Sundar

New Member

Re: reflective acl

I see...

thanks! reading your answer I suddenly figure out the concept I was missing!

I though the icmp outbound traffic was enabling (triggering) any icmp traffic in inbound, but of course it does not! It will enable only allow return packets from destination to source.

Thanks for the clarification, very useful!

Re: reflective acl

Glad that helped :)

Think of Reflexive ACL as stateful firewall where the traffic originated & evaluated from the trusted side of the network is allowed back automatically to come back from the untrusted side. For any traffic originated from the untrusted side to trusted side you need to explicitly allow them, in your case that would be under your PING-IN ACL.

BTW, thanks for rating the post!!

HTH

Sundar

349
Views
0
Helpful
3
Replies