Reflexive ACL question

jsprang

Can the inbound and outbound ACLs in a reflexive ACL live on different interfaces like CBAC.  So the mirroring on the ingress of the "inside" interface.  And the mirrored on the "outside."

example:

ip access-list extended inside

 permit tcp any any reflect mirror

 permit udp any any reflect mirror

ip access-list extended outside

 deny   ip any any

 evaluate mirror 

 

interface FastEthernet0/0

 description inside

 ip address 192.168.1.2 255.255.255.0

 ip access-group inside in

 speed 100

 full-duplex

!

interface FastEthernet0/1

 description outside

 ip add 192.168.2.2 255.255.255.0

 ip access-group outside in

JoeM

Hi Jsprang.

This is not possible.   It is only per interface (in/out).

I was wrong about this.   Great question.

 

 

nickoneill

This looks ok to me.

Your "evaluate mirror" needs to be above the deny ip any any though.

 

Nick

JoeM

Nick,

Are you saying that we can use "evaluate" on different interfaces? 

                     f0/0  -->  f0/1

If so, this is really interesting.  I am going to experiment with this.

qqabdal

I agree with nick, the evaluate needs to come before the deny, otherwise everything will be denied. Try this on R2:

 en

 conf t

 ip access-list e outside

  no 10

  30 deny ip an an

 

nickoneill

Hi Joe

 

Yes you can use this on different interfaces, it all gets tied together with the evalutae and mirror options so no need to keep it on the same interfaces.

 

Nick