IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 05-18-2012 10:11 AM by qqabdal. 4 replies.
Page 1 of 1 (5 items)
Sort Posts: Previous Next
  • 05-18-2012 9:18 AM

    Task 6.4 - ICMP Filtering


    Im struggling with this one. My reflexive ACLs work from fine when trying to ping out from my network, through R1 and out toward SW1.

    For example if i ping from Router 2 to SW1s Loopback via R1 i see this reflexive ACL entry on R1:

    "Reflexive IP access list ICMP

         permit icmp host host  (16 matches) (time left 293)"

    However if i try the same from R1, I.e ping from R1 using any of its interfaces as source then it isnt matching the reflect entry of my ACL and therefore not opening up the return permit. Is that expected? I cant figure out why its not happenning?

    My ACL config is below. As stated all other pings from inside the network apart from R1 work fine. Any ping from R1 to SW1 loopback is not matching the reflective hit on the way out.


    Rack1R1#show ip access-lists 

    Extended IP access list FROM_SW1

        10 permit icmp any any time-exceeded

        20 permit icmp any any port-unreachable

        25 permit icmp host any echo-reply

        30 evaluate ICMP

        40 deny icmp any any

        50 permit ip any any (19 matches)

    Reflexive IP access list ICMP

         permit icmp host host  (16 matches) (time left 293)

         permit icmp host host  (10 matches) (time left 297)

    Extended IP access list TO_SW1

        5 permit icmp any host echo

        10 permit icmp any any reflect ICMP (14 matches)

        20 permit ip any any

    • Post Points: 20
  • 05-18-2012 9:24 AM In reply to

    Re: Task 6.4 - ICMP Filtering



    As far as I know, outbound ACLs does not affect routers own traffic. Here pings are sent, but not matched by the outbound ACL, in order to be reflected and allows for the inbound ACL to permit them back.




    • Post Points: 20
  • 05-18-2012 9:39 AM In reply to

    Re: Task 6.4 - ICMP Filtering

    Bassam is correct, router originate traffic is not subject to outbound ACLs. You have two options here:

    1) Open pinholes on the ACL for icmp

    2) Local PBR


    Good luck!

    • Post Points: 20
  • 05-18-2012 9:53 AM In reply to

    Re: Task 6.4 - ICMP Filtering


    Hi Qqabdal,

    You mean using Local PBR in order to make routers own traffic as transit, right? This is a very nice trick. On the other hand, CBAC can inspect routers own traffic, using the router-traffic keyword.




    • Post Points: 20
  • 05-18-2012 10:11 AM In reply to

    Re: Task 6.4 - ICMP Filtering

    Hi Bassam,

    Exactly. You can create an ACL and bind that to a route-map that set the next-hop interface to be your loopback then you do a ip local policy route-map. As Brian says this is a SRT (Stupid Router Trick), but it is always good to know your options.

    About CBAC, oh yeah that is a much more elegant way of solving this issue, but since he is dealing with reflexive ACLs, I guess that is not an option here.

    The features have just been evolving since the beginning:

    Established keyword on ACL -> Reflexive ACLs -> CBAC -> ZBFW


    Good luck!

    • Post Points: 5
Page 1 of 1 (5 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved