I have R1, R2, and R3, and I want to use reflexive access-lists to effectively help create a security policy that I can apply to R2.
I consider R2's fa0/0 the inside network and R2's s0/0 the outside network. I want to allow all traffic to exit the inside network, but do not want any unsolicited traffic from the outside network to be allowed in. I have RIP running between the three routers, and I want that to remain operational.
To accomplish this, I'll create two access-lists on R2. One for the outbound traffic, and one for the inbound traffic to have the reflexive ACL evaluated.
ip access-list extended DEPARTING permit tcp any any reflect TRAFFIC permit udp any any reflect TRAFFIC permit icmp any any reflect TRAFFIC
ip access-list extended ARRIVING permit udp any any eq 520 evaluate TRAFFIC deny ip any anyI'll apply both ACLs to the outside interface on R2 in their respective directions.
interface s0/1 ip access-group DEPARTING out ip access-group ARRIVING inWhen I attempt to ping from R3 to R1, I don't receive replies; which is the expected behavior.
R3#ping 10.1.12.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:U.U.USuccess rate is 0 percent (0/5)Before I ping from R1 outbound, here's the result of show ip access-list on R2.
R2#sh ip access-listExtended IP access list ARRIVING 10 permit udp any any eq rip (618 matches) 20 evaluate TRAFFIC 30 deny ip any any (67 matches)Extended IP access list DEPARTING 10 permit tcp any any reflect TRAFFIC 20 permit udp any any reflect TRAFFIC 30 permit icmp any any reflect TRAFFIC (20 matches)Reflexive IP access list TRAFFICR2#I see there are no entries under the reflexive ACL.
Now I'll ping from R1 to R3.
R1#ping 10.1.23.3
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.23.3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 msR1#I'll now check the ACLs on R2 again.
R2#sh ip access-list TRAFFICReflexive IP access list TRAFFIC permit icmp host 10.1.23.3 host 10.1.12.1 (20 matches) (time left 276)R2#This time, an entry has been created under the reflexive ACL.
The default timeout for a reflexive ACL is 300 seconds, but I can adjust the time out with the ip refleive-list timeout command. I will change mine to 20 seconds.
R2#R2#configure terminalEnter configuration commands, one per line. End with CNTL/Z.R2(config)#ip reflexive-list timeout 20R2(config)#endR2#The previous reflexive entry has been cleared, and I'll send another ping to verify that the new timeout behaves as expected.
R2#sh ip access-list TRAFFICReflexive IP access list TRAFFIC permit icmp host 10.1.23.3 host 10.1.12.1 (19 matches) (time left 17)R2#Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10
Situs Judi Slot Online Resmi Dan Terpercaya, Daftar Agen
ReplyDeleteSitus 오늘 뭐 먹지 룰렛 judi slot online resmi dan 일본야구분석사이트 terpercaya 토토사이트코드 yang menyediakan game slot pci 슬롯 gacor bwin terbaru 2021 dengan customer service online 24 jam. Main game dan dapatkan bonus jackpot terbesar.