[[nsp] Source-only reflexive ACLs]

Robert Viau rviau at wcom.ca
Thu Jan 23 14:36:35 EST 2003

When I first read your response I thought "Of course!  Why didn't I think of
that?" but, I'm afraid it doesn't work :

1605#sh access-list reflect-testtest
Reflexive IP access list reflect-testtest
    permit tcp host eq telnet host eq 43290 (1
match) (time left 295)
1605#sh access-list testtest
Extended IP access list testtest
    permit tcp any host syn reflect reflect-testtest
    permit ip any any (2400 matches)

I was matching 'any any' previously and it was creating the exact same
entries in the reflective ACL.

Any other ideas?

I'm running 12.2.13T btw.

----- Original Message -----
From: "Joshua Smith" <joshua.ej.smith at usa.net>
To: "Robert Viau" <rviau at wcom.ca>; <cisco-nsp at puck.nether.net>
Sent: Thursday, January 23, 2003 2:22 PM
Subject: Re: [[nsp] Source-only reflexive ACLs]

use the 'any' statement

ip access-list ext reflexive
permit <protocol> xxx.xxx.xxx.xxx any reflect

"Robert Viau" <rviau at wcom.ca> wrote:
> Does anyone know if there is anyway to have a reflexive ACL built with
> the source address and port of the triggering packet instead of source and
> destination?
> I can't find anything on cisco.com.
> Thanks,
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

"Walk with me through the Universe,
 And along the way see how all of us are Connected.
 Feast the eyes of your Soul,
 On the Love that abounds.
 In all places at once, seemingly endless,
 Like your own existence."
     - Stephen Hawking -

More information about the cisco-nsp mailing list