Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2600 Reflective ACL's

Status
Not open for further replies.
marshyrob

marshyrob

Technical User
Joined
Jan 20, 2004
Messages
137
Location
GB
Hello

Looking for a bit of advice if anyone can help!

We have a 2600 router as our Business Partner DMZ. We use a lot of reflective ACL's to allow traffic in and out on the ports they need to use and only those ports. We have the reflective ACL's working with all our business partners traffic bar one!!

This software requires port ranges on TCP and UDP to 4 possible addresses.
On the sub interface i have The following 2 access lists.

interface FastEthernet0/1.7
description Test
encapsulation isl 7
ip address 10.84.x.x 255.255.255.0
ip access-group TestIn in
ip access-group TestOut out
no ip redirects
ip nat outside
no cdp enable

ip access-list extended TestOut
permit icmp any any
evaluate TestRefOut
permit tcp host 10.84.x.x 208.134.x.x 0.0.0.255 range 8194 8294 reflect TestRefIn
permit udp host 10.84.x.x 208.134.x.x 0.0.0.255 range 48129 48137 reflect TestRefIn
permit tcp host 10.84.x.x 205.183.x.x 0.0.0.255 range 8194 8294 reflect TestRefIn
permit udp host 10.84.x.x 205.183.x.x 0.0.0.255 range 48129 48137 reflect TestRefIn
permit tcp host 10.84.x.x 199.105.x.x 0.0.7.255 range 8194 8294 reflect TestRefIn
permit udp host 10.84.x.x 199.105.x.x 0.0.7.255 range 48129 48137 reflect TestRefIn
permit tcp host 10.84.x.x 199.105.x.x 0.0.1.255 range 8194 8294 reflect TestRefIn
permit udp host 10.84.x.x 199.105.x.x 0.0.1.255 range 48129 48137 reflect TestRefIn
permit tcp host 10.84.x.x 69.184.x.x 0.0.255.255 range 8194 8294 reflect TestRefIn
permit udp host 10.84.x.x 69.184.x.x 0.0.255.255 range 48129 48137 reflect TestRefIn
deny ip any any

ip access-list extended TestIn
permit icmp any any
evaluate TestRefIn
deny ip any any

Problem being when i do a port Query on a valid port (TCP 8292) and look at my debug im getting the return traffic denied!?? Looks like it doesnt even pay any attention to the reflective commands? It lets the traffic out but wont allow the return traffic back in (the source address and port are valid in the debug output?) Its basically not reflecting the traffic its letting out!?

Any ideas?

Thanks

Rob


 
Sort by date Sort by votes
Ok the format for the access-list looks fine to me the only thing i can think of is that you are using nat on interface FastEthernet0/1.7
This means that 199.105.x.x 0.0.7.255 range is replying to and setting up sessions with the nat interface not the
10.84.x.x interface ??? is it doing the checkon the external interface before the router has applied the return nat??? check destination address of the incomming packets ???

Simon
 
Upvote 0 Downvote
Hi Simon

Thanks for your reply.

We are Nat'ing behind the FastEthernet0/1.7 address (overload) so the host is a 172.20.x.x address but it gets natted to the 10.84.x.x address.

From doing a port query i look at the debug info and i see the traffic leave the interface as the 10.84.x.x (source) to the correct destination address. The destination address then replies back to the source address (10.84.x.x), but thats where it fails as i get Access Denied. The interface has no other ACL on it. From my research on the Cisco website, in bound traffic does not get re-natted until its been checked against all ACL's?

Also when i do a show access-lists i see matches against deny ip any any INBOUND but no mathces on the reflective ACL's OUT or IN (usually you get an entry under the relect statement showing what its allowing)?

I just dont think the reflect statement works? ive tried it with just one reflect statement too, Purely the Source to destination on the correct port and still no joy!?

Im lost?!?!?!?
 
Upvote 0 Downvote
you might want to some port forwarding rules like this

ip nat inside source static tcp 10.84.x.x 8194 208.134.x.x 8194
 
Upvote 0 Downvote
Hi Simon

Thanks again for your advice. I managed to get it working by doing the following:

1. Made the Reflect ACL shorter to just 2 destination class C networks (did a sniff of the traffic the application created and it seems it was advertising routes via RIP but there were only two different networks being advertised?? We had 5 in our ACL).

2. Changed the permit statements from TCP and UDP to IP

This seemed to do the trick?!? Dont know why but it worked. Maybe the TCP / UDP stuff was wrong but when i do a debug i see the reflect statments being allowed and they are TCP and UDP ones?

Who knows but hey im happy!

Thanks for your time on this, i really appreciate it.

Rob
 
Upvote 0 Downvote
I think You should be able to do this with Group Policy.

If not and users have access to network cards then they can enable it
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xzeneize10
  • Locked
  • Question Question
cisco Aironet 2600 and cisco 2960x
Replies
3
Views
392
Silverblade
Silverblade
hidalgo1716
  • Locked
  • Question Question
My ACL's are not working like i think they should, can anyone take a look???
Replies
8
Views
323
imbadatthis
imbadatthis
pbxnkey
  • Locked
  • Question Question
Router ACL's
Replies
12
Views
458
Viconsul
Viconsul
colet
  • Locked
  • Question Question
cisco 2600 router crashing
Replies
4
Views
328
colet
colet
hortonhearsawho
  • Locked
  • Question Question
port forwarding on 2600 router
Replies
3
Views
254
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top