I tried to put TCP traffic

Gareth Williams · ‎07-25-2015

Hi all,

I've been scratching my head but the reflective ACL is not working as I thought it would.

I have a computer connected to the router, I have NAT configured and I can reach the internet fine.

When I configure the reflextive ACL, I cannot get pings to work, the inbound ACL is denying them.

Config ACL:

!

ip access-list extended INBOUND
evaluate REMEMBER
deny ip any any log
ip access-list extended OUTBOUND
permit tcp any any log reflect REMEMBER
permit udp any any log reflect REMEMBER
permit icmp any any log reflect REMEMBER
permit icmp any any echo-reply log reflect REMEMBER
deny ip any any log

!

Interface outside:

!
interface FastEthernet0/0
description Outside
ip address dhcp
ip access-group INBOUND in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

!

Interface inside:

!

interface FastEthernet0/1
description Inside
ip address 10.1.1.1 255.255.255.0
ip access-group OUTBOUND in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

!

Show output

R1#show access-list
Standard IP access list NAT
    10 permit 10.1.1.0, wildcard bits 0.0.0.255 (2 matches)
Extended IP access list INBOUND
    1 evaluate REMEMBER
    10 deny ip any any log (2 matches)
Extended IP access list OUTBOUND
    10 permit tcp any any log reflect REMEMBER
    20 permit udp any any log reflect REMEMBER
    30 permit icmp any any log reflect REMEMBER (2 matches)
    40 permit icmp any any echo-reply log reflect REMEMBER
    50 deny ip any any log
Reflexive IP access list REMEMBER
     permit icmp host 8.8.8.8 host 10.1.1.2 log (2 matches) (time left 295)

I am sending 2 ping packet through, the OUTBOUND ACL matches the ICMP packets, which is good.

So the reflexive ACL is the opposite of that OUTBOUND ACL, and we also see matches.

I do not understand why the INBOUND ACL has 2 matches? Because I have the "1 evaluate REMEMBER" first in the list, is it not supposed to match this first? As it is called REMEMBER should it not allow return traffic through?

I haven't tried web traffic or anything else just ICMP.

Thanks

Marius Gunnerud · ‎07-25-2015

Because the ICMP return traffic is a seperate traffic flow from the original ICMP (ping), it is being dropped because the router doesnt recognize it as part of an existing flow. Your TCP and UDP sessions should be fine though. You will need to explicitly permit the ICMP return traffic in the Inbound ACL.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Gareth Williams · ‎07-26-2015

I tried to put TCP traffic through the router. I am trying to go to www.google.co.uk and I am using 8.8.8.8 as my DNS server.

It is still not performing as I would expect it. Same issue with the ICMP traffic. I can see the reflexive ACL being created, but my ACL is still denying the traffic. Any ideas?

R1#show access-list
Standard IP access list NAT
    10 permit 10.1.1.0, wildcard bits 0.0.0.255 (32 matches)
Extended IP access list INBOUND
    10 evaluate REMEMBER
    20 deny ip any any log (249 matches)
Extended IP access list OUTBOUND
    10 permit tcp any any reflect REMEMBER (56 matches)
    20 permit udp any any reflect REMEMBER (191 matches)
    30 permit icmp any any reflect REMEMBER (2 matches)
    40 deny ip any any log
Reflexive IP access list REMEMBER
     permit udp host 239.255.255.250 eq 1900 host 192.168.14.1 eq 1900 (18 matches) (time left 213)
     permit tcp host 62.253.72.162 eq www host 10.1.1.2 eq 1081 (2 matches) (time left 191)
     permit tcp host 62.253.72.162 eq www host 10.1.1.2 eq 1080 (2 matches) (time left 191)
     permit tcp host 62.253.72.162 eq www host 10.1.1.2 eq 1079 (2 matches) (time left 187)
     permit tcp host 62.253.72.162 eq www host 10.1.1.2 eq 1078 (2 matches) (time left 187)
     permit tcp host 62.253.72.168 eq www host 10.1.1.2 eq 1077 (3 matches) (time left 176)
     permit tcp host 62.253.72.168 eq www host 10.1.1.2 eq 1076 (3 matches) (time left 176)
     permit tcp host 62.253.72.168 eq www host 10.1.1.2 eq 1075 (3 matches) (time left 172)
     permit tcp host 62.253.72.168 eq www host 10.1.1.2 eq 1074 (3 matches) (time left 172)
     permit tcp host 62.253.72.157 eq www host 10.1.1.2 eq 1073 (3 matches) (time left 155)
     permit tcp host 62.253.72.157 eq www host 10.1.1.2 eq 1072 (3 matches) (time left 155)
     permit tcp host 62.253.72.157 eq www host 10.1.1.2 eq 1071 (3 matches) (time left 152)
     permit tcp host 62.253.72.157 eq www host 10.1.1.2 eq 1070 (3 matches) (time left 151)
     permit udp host 192.168.14.255 eq netbios-dgm host 192.168.14.1 eq netbios-dgm (1 match) (time left 134)
     permit tcp host 62.253.72.153 eq www host 10.1.1.2 eq 1069 (3 matches) (time left 135)
     permit tcp host 62.253.72.153 eq www host 10.1.1.2 eq 1068 (3 matches) (time left 135)
     permit tcp host 62.253.72.153 eq www host 10.1.1.2 eq 1067 (3 matches) (time left 131)
     permit tcp host 62.253.72.153 eq www host 10.1.1.2 eq 1066 (3 matches) (time left 131)
     permit tcp host 62.253.72.182 eq www host 10.1.1.2 eq 1065 (3 matches) (time left 114)
     permit tcp host 62.253.72.182 eq www host 10.1.1.2 eq 1064 (3 matches) (time left 114)
     permit tcp host 62.253.72.182 eq www host 10.1.1.2 eq 1063 (3 matches) (time left 110)
     permit tcp host 62.253.72.182 eq www host 10.1.1.2 eq 1062 (3 matches) (time left 110)
     permit udp host 10.1.1.255 eq netbios-ns host 10.1.1.2 eq netbios-ns (7 matches) (time left 101)
     permit udp host 8.8.8.8 eq domain host 10.1.1.2 eq 1061 (19 matches) (time left 113)
     permit udp host 8.8.8.8 eq domain host 10.1.1.2 eq 1060 (59 matches) (time left 294)
     permit udp host 8.8.8.8 eq domain host 10.1.1.2 eq 1033 (59 matches) (time left 202)
     permit udp host 239.255.255.250 eq 1900 host 192.168.14.1 eq 65141 (27 matches) (time left 199)
     permit udp host 10.1.1.255 eq netbios-dgm host 10.1.1.2 eq netbios-dgm (1 match) (time left 60)
     permit icmp host 8.8.8.8 host 10.1.1.2 (2 matches) (time left 48)

Reflexive ACL not working as expected ICMP