Im struggling with this one. My reflexive ACLs work from fine when trying to ping out from my network, through R1 and out toward SW1.
For example if i ping from Router 2 to SW1s Loopback via R1 i see this reflexive ACL entry on R1:
"Reflexive IP access list ICMP
permit icmp host 184.108.40.206 host 220.127.116.11 (16 matches) (time left 293)"
However if i try the same from R1, I.e ping from R1 using any of its interfaces as source then it isnt matching the reflect entry of my ACL and therefore not opening up the return permit. Is that expected? I cant figure out why its not happenning?
My ACL config is below. As stated all other pings from inside the network apart from R1 work fine. Any ping from R1 to SW1 loopback is not matching the reflective hit on the way out.
Rack1R1#show ip access-lists
Extended IP access list FROM_SW1
10 permit icmp any any time-exceeded
20 permit icmp any any port-unreachable
25 permit icmp host 18.104.22.168 any echo-reply
30 evaluate ICMP
40 deny icmp any any
50 permit ip any any (19 matches)
Reflexive IP access list ICMP
permit icmp host 22.214.171.124 host 126.96.36.199 (16 matches) (time left 293)
permit icmp host 188.8.131.52 host 184.108.40.206 (10 matches) (time left 297)
Extended IP access list TO_SW1
5 permit icmp any host 220.127.116.11 echo
10 permit icmp any any reflect ICMP (14 matches)
20 permit ip any any