06-22-2006 12:13 AM - edited 03-03-2019 01:04 PM
i want to configure a reflexive ACL to block traffic initiated from outside, once configured it on the interface, i found ospf and BGP neighbor relationship not able to establish because of this. I add a few permit commands of OSPF and BGP also not help, can someone heklp me resolve?
R2--inside network--R1(41.41.41.1)--outside network--(41.41.41.4)R4
configuration on R1:
______________________________________
ip access-list extended chu
permit tcp any any eq bgp reflect conn
permit ospf any any reflect conn
ip access-list extended jing
evaluate conn
interface serial0
ip address 41.41.41.1 255.255.255.0
ip access-group jing in
ip access-group chu out
______________________________________
Solved! Go to Solution.
06-22-2006 03:33 AM
Hello,
This configurations will not work.
I think you might take a closer look on how reflexive acls works.
You need to have traffic flowing first in order to "reflect" (i.e create a acl for permitting the opposite direction traffic).
the only traffic will "work" is traffic originated inside. When the go out, and reflected ACL will be created permitting that they come back.
But traffic from outside originated outside will never be permitted, unless you create a acl for it.
So, if the traffic is coming from the other routers (ospf and bgp traffic) , originated by the other routers, this configuration will not work.
Take a look on this example, usually traffic between routers (routing traffic ) is permitted and other tcp traffic is reflect (the same is valid for icmp packets).
interface Serial 1
description Access to the Internet via this interface
ip access-group inboundfilters in
ip access-group outboundfilters out
!
ip reflexive-list timeout 120
!
ip access-list extended outboundfilters
permit tcp any any reflect tcptraffic
!
ip access-list extended inboundfilters
permit eigrp any any
deny icmp any any
evaluate tcptraffic
HTH,
if it does, please rate this post.
vlad
06-22-2006 12:38 AM
i also change the config to:
interface serial0
ip address 41.41.41.1 255.255.255.0
ip access-group jing in
ip access-group chu out
end
ip access-list extended chu
permit icmp any any reflect conn
permit icmp any any echo reflect conn
permit icmp any any echo-reply reflect conn
permit tcp any any eq bgp reflect conn
permit ospf any any reflect conn
ip access-list extended jing
evaluate conn
permit ospf any any
permit tcp any any eq bgp
when i ping from r1 to R4, i got timeout, not reachable
06-22-2006 03:33 AM
Hello,
This configurations will not work.
I think you might take a closer look on how reflexive acls works.
You need to have traffic flowing first in order to "reflect" (i.e create a acl for permitting the opposite direction traffic).
the only traffic will "work" is traffic originated inside. When the go out, and reflected ACL will be created permitting that they come back.
But traffic from outside originated outside will never be permitted, unless you create a acl for it.
So, if the traffic is coming from the other routers (ospf and bgp traffic) , originated by the other routers, this configuration will not work.
Take a look on this example, usually traffic between routers (routing traffic ) is permitted and other tcp traffic is reflect (the same is valid for icmp packets).
interface Serial 1
description Access to the Internet via this interface
ip access-group inboundfilters in
ip access-group outboundfilters out
!
ip reflexive-list timeout 120
!
ip access-list extended outboundfilters
permit tcp any any reflect tcptraffic
!
ip access-list extended inboundfilters
permit eigrp any any
deny icmp any any
evaluate tcptraffic
HTH,
if it does, please rate this post.
vlad
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: