cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

406
Views
5
Helpful
9
Replies
Highlighted
Beginner

ACL evaluate statement not working.

Hi All,

 

I am trying to set up a reflexive ACL on a 1921 router.

I'm not sure what I'm doing wrong, I have followed the cisco configuration guide but I can't seem to get it to work correctly.

When I remove the INBOUND ACL from the interface Gig0/0 (WAN Facing) I can see the counters for the OUTBOUND and MIRROR ACL's going up and everything seems to work as it should. Obviously there is nothing stopping inbound traffic.

When I apply the INBOUND ACL to Gig0/0 (in) it stops all traffic even though there is an evaluate statement.

 

Any ideas would be greatly appreciated.

 

thanks,

Mark.

 

Router#sh startup-config
Using 1703 out of 262136 bytes
!
! Last configuration change at 13:11:39 UTC Fri May 15 2020
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.250.1.1 10.250.1.100
!
ip dhcp pool LAN
network 10.250.1.0 255.255.255.0
default-router 10.250.1.1
dns-server 10.250.1.1
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FGL182520JQ
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip access-group INBOUND in
ip access-group OUTBOUND out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.250.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list NAT interface GigabitEthernet0/0 overload
!
ip access-list standard NAT
permit 10.250.1.0 0.0.0.255
!
ip access-list extended INBOUND
evaluate MIRROR
ip access-list extended OUTBOUND
permit tcp any any reflect MIRROR timeout 300
permit udp any any reflect MIRROR timeout 300
permit icmp any any reflect MIRROR timeout 300
!
!
!
!
control-plane
!
!
vstack
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

 

----------------------------------------------------------------------------

 

Router#sh ip access-lists
Standard IP access list NAT
10 permit 10.250.1.0, wildcard bits 0.0.0.255 (128 matches)
Extended IP access list INBOUND
10 evaluate MIRROR
Reflexive IP access list MIRROR
permit icmp host 1.1.1.1 host 10.106.219.158 (8 matches) (time left 236)
permit icmp host 8.8.8.8 host 10.106.219.158 (13 matches) (time left 243)
permit icmp host 216.58.203.110 host 10.106.219.158 (212 matches) (time left 299)
permit udp host 10.250.1.1 eq domain host 10.106.219.158 eq 59817 (1 match) (time left 186)
permit udp host 10.250.1.1 eq domain host 10.106.219.158 eq 58656 (1 match) (time left 186)
Extended IP access list OUTBOUND
10 permit tcp any any reflect MIRROR (3115 matches)
20 permit udp any any reflect MIRROR (257 matches)
30 permit icmp any any reflect MIRROR (1492 matches)

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Enthusiast

Re: ACL evaluate statement not working.

Hi,

 

Thanks for your testing result. 

 

As you were pinging to external address on your router directly. The outbound ACL not likely to be evaluated, so you may have to apply a route-map to force it to be evaluated for local generated traffic (control-plane traffic).

 

route-map LOCAL-OUTBOUND permit 10
 match ip address OUTBOUND

ip local policy route-map LOCAL-OUTBOUND

 Then, every local generated traffic will be processed by route-map "LOCAL-OUTBOUND" which then call the ACL "OUTBOUND". Afterward, the reflective ACL entry will be automatically created and added to inbound ACL. 

 

Traffic will then allowed.

 

View solution in original post

9 REPLIES 9
Highlighted
Enthusiast

Re: ACL evaluate statement not working.

Hi,

 

Your configuration is correct.

 

There were Reflective ACL entry automatically created: 

 

Reflexive IP access list MIRROR
permit icmp host 1.1.1.1 host 10.106.219.158 (8 matches) (time left 236)
permit icmp host 8.8.8.8 host 10.106.219.158 (13 matches) (time left 243)
permit icmp host 216.58.203.110 host 10.106.219.158 (212 matches) (time left 299)
permit udp host 10.250.1.1 eq domain host 10.106.219.158 eq 59817 (1 match) (time left 186)
permit udp host 10.250.1.1 eq domain host 10.106.219.158 eq 58656 (1 match) (time left 186)

What traffic stopped? Is it a outbound traffic (init. from G0/1 to G0/0) or inbound traffic (init. from G0/0 to G0/1)?

 

Do you see the "stopped" traffic listed in the above MIRROR ACL?

 

Highlighted
Beginner

Re: ACL evaluate statement not working.

Thanks for your reply.

From what I can tell traffic can go from LAN (G0/1) > WAN (G0/0) and it shows up in the MIRROR ACL, but when traffic is coming back it gets stopped.

The INBOUND ACL appears to block incoming traffic even though it should be evaluating the MIRROR ACL.

Im not sure what else I can try.

Any help would be appreciated.

 

Thanks.

 

 

Highlighted
Enthusiast

Re: ACL evaluate statement not working.

Hi,

May I know which IOS version are you using?

I am curious if the INBOUND ACL really dropped the traffic.

If you could reproduce the problem, please kindly try to:

 

1. Add "deny ip any any log" at the end of INBOUND ACL.
If any traffic not evaluated by reflexive ACL, it got dropped with log.

 

 

ip access-list extended INBOUND
   evaluate MIRROR
deny ip any any log

 

 

2. debug ip packet with filter, to see what stopped the packet. 

 

Enable "debug ip packet" carefully and always apply filter to prevent system resource exhausted.

 

 

(config) # ip access-list extended 101
(config-acl) #   permit icmp host 8.8.8.8 host 10.106.219.158 
(config-acl) #   permit icmp host 8.8.8.8 host 10.250.1.X

# debug ip packet detail 101

 

 

Highlighted
Beginner

Re: ACL evaluate statement not working.

Hi, 

Thanks for the advice, It appears the evaluate statement isn't allowing traffic past as its hitting the deny statements. 

It also seems ICMP isnt getting added to the MIRROR ACL. 

 

Outputs below. 

thanks, 

Mark.

 

Router#sh ip access-lists
Standard IP access list NAT
10 permit 10.250.1.0, wildcard bits 0.0.0.255 (20 matches)
Extended IP access list INBOUND
10 evaluate MIRROR
20 deny icmp any any (5 matches)
30 deny tcp any any
40 deny udp any any (29 matches)
Reflexive IP access list MIRROR
permit tcp host 52.114.76.37 eq 443 host 10.106.17.43 eq 1192 (18 matches) (time left 217)
permit tcp host 23.53.241.66 eq www host 10.106.17.43 eq 1190 (10 matches) (time left 151)
permit tcp host 23.53.241.66 eq www host 10.106.17.43 eq 1189 (9 matches) (time left 151)
permit tcp host 23.53.241.66 eq www host 10.106.17.43 eq 1188 (7 matches) (time left 151)
permit tcp host 23.53.241.66 eq www host 10.106.17.43 eq 1187 (9 matches) (time left 151)
permit tcp host 23.53.241.66 eq www host 10.106.17.43 eq 1186 (10 matches) (time left 151)
permit tcp host 20.36.219.28 eq 443 host 10.106.17.43 eq 1185 (52 matches) (time left 207)
permit tcp host 20.36.219.28 eq 443 host 10.106.17.43 eq 1184 (41 matches) (time left 57)
permit tcp host 52.184.80.179 eq 443 host 10.106.17.43 eq 1179 (14 matches) (time left 31)
permit tcp host 52.184.80.179 eq 443 host 10.106.17.43 eq 1178 (16 matches) (time left 30)
permit tcp host 40.119.211.203 eq 443 host 10.106.17.43 eq 1177 (13 matches) (time left 30)
permit tcp host 40.90.23.154 eq 443 host 10.106.17.43 eq 1174 (21 matches) (time left 138)
permit tcp host 13.107.42.12 eq 443 host 10.106.17.43 eq 1173 (16 matches) (time left 29)
permit tcp host 52.114.6.46 eq 443 host 10.106.17.43 eq 1172 (15 matches) (time left 31)
Extended IP access list OUTBOUND
10 permit tcp any any reflect MIRROR (409 matches)
20 permit udp any any reflect MIRROR
30 permit icmp any any reflect MIRROR
Router#

 

 

Router#debug ip packet detail 100
IP packet debugging is on (detailed) for access list 100
Router#
Router#
Router#sh ip acces
Router#sh ip access-lists 100
Extended IP access list 100
10 permit icmp any any
20 permit ip any any
Router#ping google.com
Translating "google.com"...domain server (10.106.17.1)
*May 16 05:54:24.231: IP: s=10.106.17.43 (local), d=10.106.17.1, len 56, local feature
*May 16 05:54:24.231: UDP src=54343, dst=53, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.231: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 10.106.17.1
*May 16 05:54:24.231: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 05:54:24.231: FIBipv4-packet-proc: packet routing succeeded
*May 16 05:54:24.231: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, sending
*May 16 05:54:24.231: UDP src=54343, dst=53
*May 16 05:54:24.231: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:24.231: UDP src=54343, dst=53, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.231: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:24.235: UDP src=54343, dst=53, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:24.235: UDP src=54343, dst=53, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:24.235: UDP src=54343, dst=53, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:24.235: UDP src=54343, dst=53, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, sending full packet
*May 16 05:54:24.235: UDP src=54343, dst=53
*May 16 05:54:24.491: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 05:54:24.491: UDP src=53, dst=54343, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.491: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 05:54:24.491: UDP src=53, dst=54343, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.491: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 05:54:24.491: UDP src=53, dst=54343, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.491: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, access denied
*May 16 05:54:24.491: UDP src=53, dst=54343
*May 16 05:54:24.491: FIBipv4-packet-proc: route packet from GigabitEthernet0/0 src 10.106.17.1 dst 10.106.17.43
*May 16 05:54:24.491: FIBfwd-proc: Default:10.106.17.43/32 receive entry
*May 16 05:54:24.491: FIBipv4-packet-proc: packet routing failed
*May 16 05:54:24.491: IP: tableid=0, s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43 (GigabitEthernet0/0), routed via RIB
*May 16 05:54:24.491: IP: s=10.106.17.43 (local), d=10.106.17.1, len 56, local feature
*May 16 05:54:24.491: ICMP type=3, code=13, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.491: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 10.106.17.1
*May 16 05:54:24.491: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 05:54:24.491: FIBipv4-packet-proc: packet routing succeeded
*May 16 05:54:24.491: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, sending
*May 16 05:54:24.491: ICMP type=3, code=13
*May 16 05:54:24.491: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:24.491: ICMP type=3, code=13, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.491: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:24.491: ICMP type=3, code=13, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.491: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:24.491: ICMP type=3, code=13, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.491: IP: s=
% Unrecognized host or address, or protocol not running.

Router#10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:24.491: ICMP type=3, code=13, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.491: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:24.491: ICMP type=3, code=13, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:24.491: IP: s=10.106.17.43 (local), d=10.106.17.1 (Giga
Router#bitEthernet0/0), len 56, sending full packet
*May 16 05:54:24.491: ICMP type=3, code=13
*May 16 05:54:24.491: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 05:54:24.491: UDP src=53, dst=54343, packet consumed, Access List(47), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.235: IP: s=10.106.17.43 (local), d=10.106.17.1, len 56, local feature
*May 16 05:54:27.235: UDP src=54343, dst=53, NAT(2), rtype 0, forus FALSE, sendsel
Router#f FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.235: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 10.106.17.1
*May 16 05:54:27.235: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 05:54:27.235: FIBipv4-packet-proc: packet routing succeeded
*May 16 05:54:27.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, sending
*May 16 05:54:27.235: UDP src=54343, dst=53
*May 16 05:54:27.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (G
Router#igabitEthernet0/0), len 56, output feature
*May 16 05:54:27.235: UDP src=54343, dst=53, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:27.235: UDP src=54343, dst=53, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), le
Router#n 56, output feature
*May 16 05:54:27.235: UDP src=54343, dst=53, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:27.235: UDP src=54343, dst=53, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:
Router#54:27.235: UDP src=54343, dst=53, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, sending full packet
*May 16 05:54:27.235: UDP src=54343, dst=53
*May 16 05:54:27.235: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 05:54:27.235: UDP src=53, dst=54343, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Router#*May 16 05:54:27.235: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 05:54:27.235: UDP src=53, dst=54343, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.235: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 05:54:27.235: UDP src=53, dst=54343, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.235: IP: s=10.106.1
Router#7.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, access denied
*May 16 05:54:27.235: UDP src=53, dst=54343
*May 16 05:54:27.235: FIBipv4-packet-proc: route packet from GigabitEthernet0/0 src 10.106.17.1 dst 10.106.17.43
*May 16 05:54:27.235: FIBfwd-proc: Default:10.106.17.43/32 receive entry
*May 16 05:54:27.235: FIBipv4-packet-proc: packet routing failed
*May 16 05:54:27.235: IP: tableid=0, s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43 (GigabitEthernet0/0), routed via RIB
*May 16 05:54:27.
Router#235: IP: s=10.106.17.43 (local), d=10.106.17.1, len 56, local feature
*May 16 05:54:27.235: ICMP type=3, code=13, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.235: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 10.106.17.1
*May 16 05:54:27.235: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 05:54:27.235: FIBipv4-packet-proc: packet routing succeeded
*May 16 05:54:27.235: IP: s=10.106.17.43 (local), d=10.106.17.
Router#1 (GigabitEthernet0/0), len 56, sending
*May 16 05:54:27.235: ICMP type=3, code=13
*May 16 05:54:27.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:27.239: ICMP type=3, code=13, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:27.239: ICMP type=3, code=13, Common Flow Table
Router#(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:27.239: ICMP type=3, code=13, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:27.239: ICMP type=3, code=13, Access List(52), rtype 1, forus FALSE, sendsel
Router#f FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:27.239: ICMP type=3, code=13, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:27.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, sending full packet
*May 16 05:54:27.239: ICMP type=3, code=13
*May 16 05:54:27.239: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len
Router#72, input feature
*May 16 05:54:27.239: UDP src=53, dst=54343, packet consumed, Access List(47), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.235: IP: s=10.106.17.43 (local), d=10.106.17.1, len 56, local feature
*May 16 05:54:30.235: UDP src=54343, dst=53, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.235: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 10.106.17.1
*May 16 05:54:30.235: FIBfwd-proc: packet r
Router#outed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 05:54:30.235: FIBipv4-packet-proc: packet routing succeeded
*May 16 05:54:30.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, sending
*May 16 05:54:30.235: UDP src=54343, dst=53
*May 16 05:54:30.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:30.235: UDP src=54343, dst=53, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk F
Router#ALSE
*May 16 05:54:30.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:30.235: UDP src=54343, dst=53, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:30.235: UDP src=54343, dst=53, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.235:
Router# IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:30.235: UDP src=54343, dst=53, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.235: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:30.235: UDP src=54343, dst=53, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.235: IP: s=10.106.17.43 (local), d=10.106.1
Router#7.1 (GigabitEthernet0/0), len 56, sending full packet
*May 16 05:54:30.235: UDP src=54343, dst=53
*May 16 05:54:30.235: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 05:54:30.235: UDP src=53, dst=54343, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.235: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 05:54:30.235: UDP src=53, dst=54343, Stateful Inspection(8), rt
Router#ype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.235: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 05:54:30.235: UDP src=53, dst=54343, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.235: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, access denied
*May 16 05:54:30.235: UDP src=53, dst=54343
*May 16 05:54:30.235: FIBipv4-packet-proc: route packet from G
Router#igabitEthernet0/0 src 10.106.17.1 dst 10.106.17.43
*May 16 05:54:30.235: FIBfwd-proc: Default:10.106.17.43/32 receive entry
*May 16 05:54:30.235: FIBipv4-packet-proc: packet routing failed
*May 16 05:54:30.235: IP: tableid=0, s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43 (GigabitEthernet0/0), routed via RIB
*May 16 05:54:30.239: IP: s=10.106.17.43 (local), d=10.106.17.1, len 56, local feature
*May 16 05:54:30.239: ICMP type=3, code=13, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdc
Router#hk FALSE
*May 16 05:54:30.239: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 10.106.17.1
*May 16 05:54:30.239: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 05:54:30.239: FIBipv4-packet-proc: packet routing succeeded
*May 16 05:54:30.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, sending
*May 16 05:54:30.239: ICMP type=3, code=13
*May 16 05:54:30.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), l
Router#en 56, output feature
*May 16 05:54:30.239: ICMP type=3, code=13, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:30.239: ICMP type=3, code=13, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*
Router#May 16 05:54:30.239: ICMP type=3, code=13, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:30.239: ICMP type=3, code=13, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 05:54:30.239: ICMP type=
Router#3, code=13, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 05:54:30.239: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, sending full packet
*May 16 05:54:30.239: ICMP type=3, code=13
*May 16 05:54:30.239: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 05:54:30.239: UDP src=53, dst=54343, packet consumed, Access List(47), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Router#

Highlighted
Beginner

Re: ACL evaluate statement not working.

Hi Mate, 

 

It appears its the ACL inbound dropping the traffic because the evaluate statement isnt allowing it past.

 

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.6(3)M4

c1900-universalk9-mz.SPA.156-3.M4.bin

 

 

Router#
Router#ping google.com
Translating "google.com"...domain server (10.106.17.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.58.199.46, timeout is 2 seconds:
....
*May 16 07:04:28.079: %SEC-6-IPACCESSLOGDP: list INBOUND denied icmp 216.58.199.46 -> 10.106.17.43 (0/0), 4 packets .
Success rate is 0 percent (0/5)
Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#
Router#sh ip access-lists
Standard IP access list NAT
10 permit 10.250.1.0, wildcard bits 0.0.0.255
Extended IP access list INBOUND
10 evaluate MIRROR
20 permit udp any any eq domain log
30 permit udp any any eq bootps log
40 permit udp any any eq bootpc log (2 matches)
50 permit udp any eq domain any (3 matches)
90 deny ip any any log (40 matches)
Reflexive IP access list MIRROR
Extended IP access list OUTBOUND
10 permit ip any any reflect MIRROR
20 permit udp any any reflect MIRROR
30 permit icmp any any reflect MIRROR
Router#
*May 16 07:05:28.083: %SEC-6-IPACCESSLOGDP: list INBOUND denied icmp 8.8.8.8 -> 10.106.17.43 (0/0), 5 packets
Router#

 

 

 


Router#debug ip packet detail
IP packet debugging is on (detailed)
Router#no debug ip packet detail
IP packet debugging is off (detailed)
Router#
Router#
Router#debug ip packet detail
IP packet debugging is on (detailed)
Router#ping google.com
Translating "google.com"...domain server (10.106.17.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.58.199.46, timeout is 2 seconds:

*May 16 07:08:22.695: IP: s=10.106.17.43 (local), d=10.106.17.1, len 56, local feature
*May 16 07:08:22.695: UDP src=64872, dst=53, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.695: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 10.106.17.1
*May 16 07:08:22.695: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 07:08:22.695: FIBipv4-packet-proc: packet routing succeeded
*May 16 07:08:22.695: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, sending
*May 16 07:08:22.695: UDP src=64872, dst=53
*May 16 07:08:22.695: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:22.695: UDP src=64872, dst=53, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.695: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:22.695: UDP src=64872, ds.t=53, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.695: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:22.695: UDP src=64872, dst=53, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.695: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:22.695: UDP src=64872, dst=53, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.695: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:22.695: UDP src=64872, dst=53, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.695: IP: s=10.106.17.43 (local), d=10.106.17.1 (GigabitEthernet0/0), len 56, sending full packet
*May 16 07:08:22.695: UDP src=64872, dst=53
*May 16 07:08:22.943: IP: s=10.106.17.1 (GigabitEtherne.t0/0), d=10.106.17.43, len 72, input feature
*May 16 07:08:22.943: UDP src=53, dst=64872, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.943: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 07:08:22.943: UDP src=53, dst=64872, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.943: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 07:08:22.943: UDP src=53, dst=64872, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.943: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 07:08:22.943: UDP src=53, dst=64872, Access List(47), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.943: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 07:08:22.943: UDP src=53, dst=64.872, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.943: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 07:08:22.943: UDP src=53, dst=64872, NAT Outside(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.943: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, input feature
*May 16 07:08:22.943: UDP src=53, dst=64872, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.943: FIBipv4-packet-proc: route packet from GigabitEthernet0/0 src 10.106.17.1 dst 10.106.17.43
*May 16 07:08:22.943: FIBfwd-proc: Default:10.106.17.43/32 receive entry
*May 16 07:08:22.943: FIBipv4-packet-proc: packet routing failed
*May 16 07:08:22.943: IP: tableid=0, s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43 (GigabitEthernet0/0), routed via RIB
*May 16 07:08:22.943: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106..17.43 (GigabitEthernet0/0), len 72, output feature
*May 16 07:08:22.943: UDP src=53, dst=64872, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.943: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43 (GigabitEthernet0/0), len 72, output feature
*May 16 07:08:22.943: UDP src=53, dst=64872, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.943: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43 (GigabitEthernet0/0), len 72, output feature
*May 16 07:08:22.943: UDP src=53, dst=64872, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.943: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43 (GigabitEthernet0/0), len 72, rcvd 3
*May 16 07:08:22.943: UDP src=53, dst=64872
*May 16 07:08:22.943: IP: s=10.106.17.1 (GigabitEthernet0/0), d=10.106.17.43, len 72, stop process pak for forus packet
*May 16 07:08:22.947: UDP src=53,.
Success rate is 0 percent (0/5)
Router# dst=64872
*May 16 07:08:22.947: IP: s=10.106.17.43 (local), d=216.58.199.46, len 100, local feature
*May 16 07:08:22.947: ICMP type=8, code=0, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.947: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 216.58.199.46
*May 16 07:08:22.947: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 07:08:22.947: FIBipv4-packet-proc: packet routing succeeded
*May 16 07:08:22.947: IP: s=1
Router#0.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, sending
*May 16 07:08:22.947: ICMP type=8, code=0
*May 16 07:08:22.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:22.947: ICMP type=8, code=0, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:22.947:
Router# ICMP type=8, code=0, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:22.947: ICMP type=8, code=0, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:22.951: ICMP type=8, code=0, Acc
Router#ess List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.951: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:22.951: ICMP type=8, code=0, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:22.951: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, sending full packet
*May 16 07:08:22.951: ICMP type=8, code=0
*May 16 07:08:23.047: IP: s=216.58.
Router#199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:23.047: ICMP type=0, code=0, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:23.047: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:23.047: ICMP type=0, code=0, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:23.047: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, le
Router#n 96, input feature
*May 16 07:08:23.047: ICMP type=0, code=0, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:23.047: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, access denied
*May 16 07:08:23.047: ICMP type=0, code=0
*May 16 07:08:23.047: FIBipv4-packet-proc: route packet from GigabitEthernet0/0 src 216.58.199.46 dst 10.106.17.43
*May 16 07:08:23.047: FIBfwd-proc: Default:10.106.17.43/32 receive entry
*May 16 07:
Router#08:23.047: FIBipv4-packet-proc: packet routing failed
*May 16 07:08:23.047: IP: tableid=0, s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43 (GigabitEthernet0/0), routed via RIB
*May 16 07:08:23.047: IP: s=10.106.17.43 (local), d=216.58.199.46, len 56, local feature
*May 16 07:08:23.047: ICMP type=3, code=13, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:23.047: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 216.58.199.46
*May 16 07:08:23.0
Router#47: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 07:08:23.047: FIBipv4-packet-proc: packet routing succeeded
*May 16 07:08:23.047: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, sending
*May 16 07:08:23.047: ICMP type=3, code=13
*May 16 07:08:23.047: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:23.047: ICMP type=3, code=13, Post-routing NAT Outside(26), rtype 1, forus FALSE, send
Router#debug ip packet detail self FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:23.047: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:23.047: ICMP type=3, code=13, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:23.047: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:23.047: ICMP type=3, code=13, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk
Router#debug ip packet detail
IP packet debugging is on (detailed)
Router# FALSE
*May 16 07:08:23.047: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:23.047: ICMP type=3, code=13, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:23.047: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:23.047: ICMP type=3, code=13, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:23.047: IP: s=1
Router#0.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, sending full packet
*May 16 07:08:23.047: ICMP type=3, code=13
*May 16 07:08:23.051: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:23.051: ICMP type=0, code=0, packet consumed, Access List(47), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:24.947: IP: s=10.106.17.43 (local), d=216.58.199.46, len 100, local feature
*May 16 07:08:24.947: ICMP type=8, co
Router#de=0, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:24.947: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 216.58.199.46
*May 16 07:08:24.947: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 07:08:24.947: FIBipv4-packet-proc: packet routing succeeded
*May 16 07:08:24.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, sending
*May 16 07:08:24.947: ICMP type=8, code=0
*May 16 07:08:24.947
Router#: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:24.947: ICMP type=8, code=0, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:24.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:24.947: ICMP type=8, code=0, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:24.947: IP: s=10.106.17.43
Router# (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:24.947: ICMP type=8, code=0, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:24.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:24.947: ICMP type=8, code=0, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:24.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (Giga
Router#bitEthernet0/0), len 100, output feature
*May 16 07:08:24.947: ICMP type=8, code=0, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:24.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, sending full packet
*May 16 07:08:24.947: ICMP type=8, code=0
*May 16 07:08:25.035: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:25.035: ICMP type=0, code=0, Common Flow Table(5), rtype 0
Router#, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:25.035: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:25.035: ICMP type=0, code=0, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:25.035: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:25.035: ICMP type=0, code=0, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0
Router#, fwdchk FALSE
*May 16 07:08:25.035: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, access denied
*May 16 07:08:25.035: ICMP type=0, code=0
*May 16 07:08:25.035: FIBipv4-packet-proc: route packet from GigabitEthernet0/0 src 216.58.199.46 dst 10.106.17.43
*May 16 07:08:25.035: FIBfwd-proc: Default:10.106.17.43/32 receive entry
*May 16 07:08:25.035: FIBipv4-packet-proc: packet routing failed
*May 16 07:08:25.035: IP: tableid=0, s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43
Router#debug ip packet detail (GigabitEthernet0/0), routed via RIB
*May 16 07:08:25.035: IP: s=10.106.17.43 (local), d=216.58.199.46, len 56, local feature
*May 16 07:08:25.035: ICMP type=3, code=13, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:25.035: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 216.58.199.46
*May 16 07:08:25.035: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 07:08:25.035: FIBipv4-packet-proc: packet routing succeeded
*M
Router#debug ip packet detail
IP packet debugging is on (detailed)
Router#ay 16 07:08:25.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, sending
*May 16 07:08:25.035: ICMP type=3, code=13
*May 16 07:08:25.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:25.035: ICMP type=3, code=13, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Router# 07:08:25.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:25.035: ICMP type=3, code=13, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:25.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:25.035: ICMP type=3, code=13, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:25.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:25.035:
Router# ICMP type=3, code=13, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:25.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:25.035: ICMP type=3, code=13, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:25.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, sending full packet
*May 16 07:08:25.035: ICMP type=3, code=13
*May 16
Router# 07:08:25.035: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:25.035: ICMP type=0, code=0, packet consumed, Access List(47), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:26.947: IP: s=10.106.17.43 (local), d=216.58.199.46, len 100, local feature
*May 16 07:08:26.947: ICMP type=8, code=0, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:26.947: FIBipv4-packet-proc: route packet from (local) s
Router#rc 10.106.17.43 dst 216.58.199.46
*May 16 07:08:26.947: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 07:08:26.947: FIBipv4-packet-proc: packet routing succeeded
*May 16 07:08:26.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, sending
*May 16 07:08:26.947: ICMP type=8, code=0
*May 16 07:08:26.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:26.947: ICMP type=8, code=0, Pos
Router#t-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:26.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:26.947: ICMP type=8, code=0, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:26.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:26.947: ICMP type=8, code=0, Stateful Inspection(30)
Router#debug ip packet detail
IP packet debugging is on (detailed)
Router#, rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:26.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:26.947: ICMP type=8, code=0, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:26.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:26.947: ICMP type=8, code=0, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALS
Router#E, mtu 0, fwdchk FALSE
*May 16 07:08:26.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, sending full packet
*May 16 07:08:26.947: ICMP type=8, code=0
*May 16 07:08:27.035: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:27.035: ICMP type=0, code=0, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:27.035: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, inp
Router#ut feature
*May 16 07:08:27.035: ICMP type=0, code=0, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:27.035: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:27.035: ICMP type=0, code=0, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:27.035: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, access denied
*May 16 07:08:27.035:
Router#ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.58.199.46, timeout is 2 seconds:
ICMP type=0, code=0
*May 16 07:08:27.035: FIBipv4-packet-proc: route packet from GigabitEthernet0/0 src 216.58.199.46 dst 10.106.17.43
*May 16 07:08:27.035: FIBfwd-proc: Default:10.106.17.43/32 receive entry
*May 16 07:08:27.035: FIBipv4-packet-proc: packet routing failed
*May 16 07:08:27.035: IP: tableid=0, s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43 (GigabitEthernet0/0), routed via RIB
*May 16 07:08:27.035: IP: s=10.106.17.43 (local), d=216.58.199.46, len 56, local feature
*May 16 07:08:27.035: ICMP type=3, code=13, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:27.035: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 216.58.199.46
*May 16 07:08:27.035: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 07:08:27.035: FIBipv4-packet-proc: packet routing succeeded
*May 16 07:08:27.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, sending
*May 16 07:08:27.035: ICMP type=3, c.ode=13
*May 16 07:08:27.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:27.035: ICMP type=3, code=13, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:27.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:27.035: ICMP type=3, code=13, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:27.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:27.035: ICMP type=3, code=13, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:27.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:27.035: ICMP type=3, code=13, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:27.035: IP: s=10.106.17.43 (l.ocal), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:27.035: ICMP type=3, code=13, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:27.035: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, sending full packet
*May 16 07:08:27.035: ICMP type=3, code=13
*May 16 07:08:27.035: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:27.035: ICMP type=0, code=0, packet consumed, Access List(47), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:28.947: IP: s=10.106.17.43 (local), d=216.58.199.46, len 100, local feature
*May 16 07:08:28.947: ICMP type=8, code=0, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:28.947: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43 dst 216.58.199.46
*May 16 07:08:28.947: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 07:08:28.9.47: FIBipv4-packet-proc: packet routing succeeded
*May 16 07:08:28.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, sending
*May 16 07:08:28.947: ICMP type=8, code=0
*May 16 07:08:28.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:28.947: ICMP type=8, code=0, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:28.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:28.947: ICMP type=8, code=0, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:28.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:28.947: ICMP type=8, code=0, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:28.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0./0), len 100, output feature
*May 16 07:08:28.947: ICMP type=8, code=0, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:28.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, output feature
*May 16 07:08:28.947: ICMP type=8, code=0, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:28.947: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 100, sending full packet
*May 16 07:08:28.947: ICMP type=8, code=0
*May 16 07:08:29.055: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:29.055: ICMP type=0, code=0, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:29.055: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:29.055: ICMP type=0, code=0, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:29.055: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:29.055: ICMP type=0, code=0, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:29.055: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, access denied
*May 16 07:08:29.055: ICMP type=0, code=0
*May 16 07:08:29.055: FIBipv4-packet-proc: route packet from GigabitEthernet0/0 src 216.58.199.46 dst 10.106.17.43
*May 16 07:08:29.055: FIBfwd-proc: Default:10.10.
Success rate is 0 percent (0/5)
Router#6.17.43/32 receive entry
*May 16 07:08:29.055: FIBipv4-packet-proc: packet routing failed
*May 16 07:08:29.055: IP: tableid=0, s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43 (GigabitEthernet0/0), routed via RIB
*May 16 07:08:29.055: IP: s=10.106.17.43 (local), d=216.58.199.46, len 56, local feature
*May 16 07:08:29.055: ICMP type=3, code=13, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:29.055: FIBipv4-packet-proc: route packet from (local) src 10.106.17.43
Router#dst 216.58.199.46
*May 16 07:08:29.055: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 10.106.17.1
*May 16 07:08:29.055: FIBipv4-packet-proc: packet routing succeeded
*May 16 07:08:29.055: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, sending
*May 16 07:08:29.055: ICMP type=3, code=13
*May 16 07:08:29.055: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:29.055: ICMP type=3, code=13, Post-routing NAT Ou
Router#tside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:29.055: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:29.055: ICMP type=3, code=13, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:29.055: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:29.055: ICMP type=3, code=13, Stateful Inspection(30), rtype 1, forus
Router# FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:29.055: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:29.055: ICMP type=3, code=13, Access List(52), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:29.055: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, output feature
*May 16 07:08:29.055: ICMP type=3, code=13, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk
Router#ping google.com FALSE
*May 16 07:08:29.055: IP: s=10.106.17.43 (local), d=216.58.199.46 (GigabitEthernet0/0), len 56, sending full packet
*May 16 07:08:29.055: ICMP type=3, code=13
*May 16 07:08:29.055: IP: s=216.58.199.46 (GigabitEthernet0/0), d=10.106.17.43, len 96, input feature
*May 16 07:08:29.055: ICMP type=0, code=0, packet consumed, Access List(47), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*May 16 07:08:30.947: IP: s=10.106.17.43 (local), d=216.58.199.46, len 100, local feature

Highlighted
Enthusiast

Re: ACL evaluate statement not working.

Hi,

 

Thanks for your testing result. 

 

As you were pinging to external address on your router directly. The outbound ACL not likely to be evaluated, so you may have to apply a route-map to force it to be evaluated for local generated traffic (control-plane traffic).

 

route-map LOCAL-OUTBOUND permit 10
 match ip address OUTBOUND

ip local policy route-map LOCAL-OUTBOUND

 Then, every local generated traffic will be processed by route-map "LOCAL-OUTBOUND" which then call the ACL "OUTBOUND". Afterward, the reflective ACL entry will be automatically created and added to inbound ACL. 

 

Traffic will then allowed.

 

View solution in original post

Highlighted
Beginner

Re: ACL evaluate statement not working.

Thanks!

that allowed the pings from CLI to be added to the OUTBOUND ACL as you said. 

I'm still needing to have the statements 30,40,50 to allow DHCP and DNS to work. 

Extended IP access list INBOUND
10 evaluate MIRROR
20 permit udp any any eq domain log
30 permit udp any any eq bootps log
40 permit udp any any eq bootpc log
50 permit udp any eq domain any (196 matches)
90 deny ip any any log (202 matches)

 

It doesnt want to evaluate the UDP MIRROR statement

It's getting plenty of hits on the MIRROR ACL for DNS


Extended IP access list OUTBOUND
10 permit ip any any reflect MIRROR (15783 matches)
20 permit udp any any reflect MIRROR
30 permit icmp any any reflect MIRROR
40 permit udp any eq domain any reflect MIRROR

 

Reflexive IP access list MIRROR
permit udp host 10.106.198.1 eq domain host 10.106.198.42 eq 53678 (1 match) (time left 300)
permit tcp host 142.250.66.240 eq www host 10.106.198.42 eq 2839 (10 matches) (time left 299)
permit udp host 10.250.1.101 eq 52506 host 10.250.1.1 eq domain (2 matches) (time left 299)
permit udp host 10.106.198.1 eq domain host 10.106.198.42 eq 63707 (2 matches) (time left 299)
permit udp host 10.106.198.1 eq domain host 10.106.198.42 eq 58416 (2 matches) (time left 299)
permit tcp host 208.74.205.244 eq 443 host 10.106.198.42 eq 2835 (29 matches) (time left 1)
permit tcp host 208.74.205.244 eq 443 host 10.106.198.42 eq 2834 (34 matches) (time left 0)
permit tcp host 172.217.167.99 eq 443 host 10.106.198.42 eq 2833 (36 matches) (time left 292)
permit udp host 10.250.1.101 eq 49661 host 10.250.1.1 eq domain (2 matches) (time left 291)
permit udp host 10.106.198.1 eq domain host 10.106.198.42 eq 65061 (2 matches) (time left 291)
permit udp host 10.106.198.1 eq domain host 10.106.198.42 eq 51774 (2 matches) (time left 291)
permit tcp host 20.36.219.28 eq 443 host 10.106.198.42 eq 2830 (42 matches) (time left 286)
permit tcp host 52.43.148.214 eq 443 host 10.106.198.42 eq 2829 (18 matches) (time left 1)
permit tcp host 52.43.148.214 eq 443 host 10.106.198.42 eq 2828 (19 matches) (time left 0)
permit udp host 10.250.1.101 eq 50844 host 10.250.1.1 eq domain (2 matches) (time left 235)
permit udp host 10.106.198.1 eq domain host 10.106.198.42 eq 50394 (2 matches) (time left 235)
permit udp host 10.106.198.1 eq domain host 10.106.198.42 eq 63253 (2 matches) (time left 235)
permit udp host 10.250.1.101 eq 60558 host 10.250.1.1 eq domain (2 matches) (time left 173)
permit udp host 10.106.198.1 eq domain host 10.106.198.42 eq 53449 (2 matches) (time left 173)

 

It's working now, thanks for your help. 

I dont suppose you know why DHCP and DNS wont use the evaluate statement?

 

Highlighted
Enthusiast

Re: ACL evaluate statement not working.

Hi, 

 

Unlike stateful firewall, reflexive ACL have no application awareness. For example, when your router broadcasting the DHCP request, the following entry will be added:

 

Reflexive IP access list MIRROR
permit udp host 255.255.255.255 eq bootps host 0.0.0.0 eq bootpc (1 matches) (time left 300)

But clearly, it cannot match with the return traffic, which should be like

permit udp host 10.106.198.1 eq bootps host 0.0.0.0 eq bootpc 

As a workaround, as what you have done. Just simply add an additional entry to allow bootps in the INBOUND ACL.

 

 


It doesnt want to evaluate the UDP MIRROR statement

 

It's getting plenty of hits on the MIRROR ACL for DNS


Extended IP access list OUTBOUND
10 permit ip any any reflect MIRROR (15783 matches)
20 permit udp any any reflect MIRROR
30 permit icmp any any reflect MIRROR
40 permit udp any eq domain any reflect MIRROR


You can't see hit count on statement 20,30,40 because statement 10 are hiding rest of them. 

 


permit udp host 10.106.198.1 eq domain host 10.106.198.42 eq 65061 (2 matches) (time left 291)

 

It's working now, thanks for your help. 

I dont suppose you know why DHCP and DNS wont use the evaluate statement?


the local DNS request should have been included, you don't actually need to explicit allow UDP53. If the remote DNS server use the correct source/destination port, the traffic should be allowed. You may re-run the test (debug ip packet detail 101) to see why it get dropped.

 

 

Highlighted
Beginner

Re: ACL evaluate statement not working.

Thank you for all your help!
It is most appreciated.
CreatePlease to create content
Content for Community-Ad