looks simple in fact not easy,who can give an explanation?

Security volume I IOS Firewall section: Reflexive Access-Lists

Reflective access-list was generated as expected,yet ping from R2's loopback 0 to R1's loopback 0 always be blocked by inbound access-list,

R3#sh ip access-lists
Extended IP access list inbound
    10 evaluate return
    20 deny ip any any log (28 matches)
Extended IP access list outbound
    10 permit tcp any any reflect return (44 matches)
    20 permit icmp any any reflect return (111 matches)
    30 permit udp any any reflect return (58 matches)
Reflexive IP access list return
     permit icmp host 150.1.2.2 host 150.1.1.1  (40 matches) (time left 295)
     permit udp host 136.1.23.2 eq rip host 136.1.23.3 eq rip (226 matches) (time left 293)
Extended IP access list rip
    10 permit udp any any eq rip (59 matches)
R3#
*Dec 12 15:19:19.902: %SEC-6-IPACCESSLOGDP: list inbound denied icmp 150.1.2.2 -> 150.1.1.1 (8/0), 10 packets
R3#

Comments

  • ip local policy route-map LOCAL
    ip access-list extended inbound
     evaluate return
     deny   ip any any log
    ip access-list extended outbound
     permit tcp any any reflect return
     permit icmp any any reflect return
     permit udp any any reflect return
    ip access-list extended rip
     permit udp any any eq rip
    !
    route-map LOCAL permit 10
     match ip address rip
     set interface Loopback0
    !

    interface FastEthernet0/1
     ip address 136.1.23.3 255.255.255.0
     ip access-group inbound in
     ip access-group outbound out
     duplex auto
     speed auto
    !

Sign In or Register to comment.