relexive ACL

att-sgcops · ‎08-05-2006

I have 3 routers:

R1(17.17.17.1)----inside-----(17.x.17.7)R2(12.12.12.7)---outside----(12.12.12.8)R3

I like to implement Ref ACL on R2, only allow TCP , UDP, ICMP and traceroute initiated from inside network. Here is my configure:

R2:

interface e0

description connect to R3

ip access-group Incoming in

ip access-group Outgoing out

ip access-list extended Outgoing

permit tcp any any reflect temp

permit udp any any reflect temp

permit icmp any any reflect temp

ip access-list extended Incoming

permit eigrp any any

permit icmp any any port-unreachable

permit icmp any any time-exceeded

evaluate temp

Then I realized that I am not able to ping the loopback ip address of R3 (12.12.12.8), according to document, the traffic which was initiated on the r2 itself will not evaluated, So I added one more command in the access-list Incoming:

"permit icmp any any echo-reply"

Now I am able to ping the R3, my question is: I can understand from R2 cannot ping R3 without the last command I mentioned, but why I aslo can ping R3 from R1 only after I added that command. Since traffic from R1 is not originated from R2 locally.

there is not routing problem, every ip address is reachable.

tekha · ‎08-06-2006

Well according to this http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7bb.html

"IP session filtering provides the ability to filter IP packets based on upper-layer protocol "session" information."

And since ICMP is not an upper-layer protocol and doesn't use sessions the way TCP does, I'm not suprised that ICMP dosn't work with reflexive ACL's. You could try CBAC (ip inspect) insteed, the newer IOS do have the abillity to dynamically permit ICMP.

Georg Pauwen · ‎08-06-2006

Hello,

usually, the 'permit icmp any any reflect' statement should be sufficient. Can you post the full configs of all your 3 routers ?

Regards,

GP