Extended IP access list lan-in
permit icmp any 195.168.1.0 0.0.0.255 echo-response
permit tcp any host 195.168.1.20 eq 80 (7 matches)
permit bgp any any (4 matches)
evaluate ok-packets
Extended IP access list lan-out
permit tcp 195.168.1.0 0.0.0.255 any eq 80 reflect ok-packets timeout 180
permit tcp 195.168.1.0 0.0.0.255 any eq 53 reflect ok-packets
Reflexive IP access list ok-packets
permit tcp host 201.37.14.127 eq www host 195.168.52 eq 80 (5 matches)
(time left 140 seconds)
Reflexive Access Lists Caveats
Some applications, like FTP, allow port numbers to be
changed during a session, meaning the port numbers of returning packets aren’t
the same as the originating packet. Reflexive access lists can’t resolve this
and the return packet will be denied—even if it’s part of the same session.
Passive FTP is an option that will work with reflexive access lists if the FTP
site supports it.
Reflexive access lists can’t examine data in the packet
beyond the Layer 4 (OSI model) information, such as TCP and UDP port numbers and
the related IP addresses. They can’t follow the application as you just saw with
the FTP discussion in the preceding paragraph.
Sections
Comments (0 posted)
Syndication
