[[nsp] Source-only reflexive ACLs]
Robert Viau
rviau at wcom.ca
Thu Jan 23 14:36:35 EST 2003
When I first read your response I thought "Of course! Why didn't I think of
that?" but, I'm afraid it doesn't work :
1605#sh access-list reflect-testtest
Reflexive IP access list reflect-testtest
permit tcp host 24.112.221.123 eq telnet host 205.150.160.10 eq 43290 (1
match) (time left 295)
1605#sh access-list testtest
Extended IP access list testtest
permit tcp any host 24.112.221.123 syn reflect reflect-testtest
permit ip any any (2400 matches)
1605#
I was matching 'any any' previously and it was creating the exact same
entries in the reflective ACL.
Any other ideas?
I'm running 12.2.13T btw.
----- Original Message -----
From: "Joshua Smith" <joshua.ej.smith at usa.net>
To: "Robert Viau" <rviau at wcom.ca>; <cisco-nsp at puck.nether.net>
Sent: Thursday, January 23, 2003 2:22 PM
Subject: Re: [[nsp] Source-only reflexive ACLs]
use the 'any' statement
ip access-list ext reflexive
permit <protocol> xxx.xxx.xxx.xxx any reflect
"Robert Viau" <rviau at wcom.ca> wrote:
> Does anyone know if there is anyway to have a reflexive ACL built with
just
> the source address and port of the triggering packet instead of source and
> destination?
>
> I can't find anything on cisco.com.
>
> Thanks,
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
"Walk with me through the Universe,
And along the way see how all of us are Connected.
Feast the eyes of your Soul,
On the Love that abounds.
In all places at once, seemingly endless,
Like your own existence."
- Stephen Hawking -
More information about the cisco-nsp
mailing list