Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
10
Helpful
3
Replies

Reflexive ACL behaviour

snarayanaraju
Level 4
Level 4

‎09-13-2009 10:46 AM - edited ‎03-04-2019 06:02 AM

Hi friends,

A basic doubt.

I am checking REFLEXIVE ACLs. During Lab i found this behaviour.

152.50.12.1 (R1)-----(R2) 150.50.7.7

where 150.50.12.1 is untrusted & 150.50.7.7 is trusted.

Reflexive ACLs are configured and working perfectly as expected. When I

initiated ICMP ping from 150.50.7.7 it is creating Reflexive ACL in R2 as

below:

permit icmp host 150.50.12.1 host 150.50.7.7 (10 matches) (time left 76)

I thought after this temperory ACL creation, I should be able to ping from

150.50.12.1 to 150.50.7.7. But it failed to ping even though I am able to

ping 150.50.12.1 from 150.50.7.7

Is this a normal behaviour?

Thanks for valuable answers

sairam

Labels:
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎09-13-2009 10:49 AM

Hi Sairam,

It depends on how you set up both the pair of ACLs. Can you post the configuration of the router that contains the reflexive ACL?

Best regards,

Peter

snarayanaraju
Level 4
Level 4
In response to Peter Paluch

‎09-13-2009 11:47 AM

Hi Peter,

Configuration is done on R2

ip access-list TRUSTED-UNTRUSTED

permit ip any any reflect SAIRAM

ip access-list UNTRUSTED-TRUSTED

evaluate SAIRAM

interface ser 0/0

des #### UNTRUSTED #####

ip access-group UNTRUSTED-TRUSTED in

interface fa 0/0

des ##### TRUSTED #####

ip access-group TRUSTED-UNTRUSTED in

Peter, this is the snapshot of the configuration made on R2

Hope this is sufficient to help me

Sairam

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to snarayanaraju

‎09-13-2009 12:37 PM

Hello Sairam,

Your config is OK. I believe that the reason that it does not work lies in the fact that despite the "show access-list" command shows only the hosts and protocol in your reflexive ACL, internally the reflexive ACL holds more information about how the return packet should look like. I suspect that for ICMP, when you ping from inside to outside, the reflexive ACL will match for an ICMP echo-reply message. This would also explain why pinging from outside to inside does not work: the packets are of the type ICMP echo, not echo-request as the reflexive ACL entry expects.

Maybe you should try testing this with a real equipment and some packet generator that is able to generate a packet from an arbitrary port - the "netcat" utility for Linux can be used for that. I suggest using UDP packets as they have no state information in their header.

Best regards,

Peter

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card