| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 123908 | 2012-03-25 02:20:00 | Cisco - Reflective ACL Query | WarNox (8772) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1266652 | 2012-03-25 02:20:00 | Hi, Basically what I'm trying to achieve is allow ALL outbound traffic from the LAN but control inbound traffic. I'm doing all this on a Cisco 800 router which is also used for DNS. When I apply the ACL's below everything works except DNS from the Cisco (the router I'm applying the ACL's on). Configuration: Extended IP access list in-filter 10 evaluate reflexive-out-filter Extended IP access list out-filter 10 permit ip any any reflect reflexive-out-filter (51120 matches) Reflexive IP access list reflexive-out-filter interface Dialer0 ... ip access-group in-filter in ip access-group out-filter out When the above is applied I cannot resolve any DNS queries unless I set my DNS server to an external one manually (Orcon, Google etc...). Any help appreciated. |
WarNox (8772) | ||
| 1266653 | 2012-03-26 09:55:00 | In case someone else comes across this I've managed to fix it. I first figured out the router doesn't inspect the traffic it generates, as below. blog.ioshints.info This problem nicely illustrates a broader issues: the router does not inspect it's own traffic and thus does not prepare conduits for the return packets; you have to specify all the return traffic you're expecting in the incoming access list. This drawback has been fixed in IOS release 12.3(14)T with the introduction of the Inspection of Router-Generated Traffic feature. So I read up on CBAC, implemented it and now it works fine :) |
WarNox (8772) | ||
| 1 | |||||