08-05-2006 04:30 PM - edited 03-03-2019 01:33 PM
I have 3 routers:
R1(17.17.17.1)----inside-----(17.x.17.7)R2(12.12.12.7)---outside----(12.12.12.8)R3
I like to implement Ref ACL on R2, only allow TCP , UDP, ICMP and traceroute initiated from inside network. Here is my configure:
R2:
interface e0
description connect to R3
ip access-group Incoming in
ip access-group Outgoing out
ip access-list extended Outgoing
permit tcp any any reflect temp
permit udp any any reflect temp
permit icmp any any reflect temp
ip access-list extended Incoming
permit eigrp any any
permit icmp any any port-unreachable
permit icmp any any time-exceeded
evaluate temp
Then I realized that I am not able to ping the loopback ip address of R3 (12.12.12.8), according to document, the traffic which was initiated on the r2 itself will not evaluated, So I added one more command in the access-list Incoming:
"permit icmp any any echo-reply"
Now I am able to ping the R3, my question is: I can understand from R2 cannot ping R3 without the last command I mentioned, but why I aslo can ping R3 from R1 only after I added that command. Since traffic from R1 is not originated from R2 locally.
there is not routing problem, every ip address is reachable.
08-06-2006 03:05 AM
Well according to this http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7bb.html
"IP session filtering provides the ability to filter IP packets based on upper-layer protocol "session" information."
And since ICMP is not an upper-layer protocol and doesn't use sessions the way TCP does, I'm not suprised that ICMP dosn't work with reflexive ACL's. You could try CBAC (ip inspect) insteed, the newer IOS do have the abillity to dynamically permit ICMP.
08-06-2006 12:01 PM
Hello,
usually, the 'permit icmp any any reflect' statement should be sufficient. Can you post the full configs of all your 3 routers ?
Regards,
GP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide