[nsp] Source-only reflexive ACLs

[Rob V]

Ah crap!

Sorry if that was HTML.  I just re-install XP and my mail client and
hadn't fixed my settings yet.


-----Original Message-----
From: Rob V [mailto:rviau75 at rogers.com] 
Sent: January 24, 2003 12:21 PM
To: 'oboehmer at cisco.com'
Cc: 'cisco-nsp at puck.nether.net'
Subject: RE: [nsp] Source-only reflexive ACLs

Well, I've got a VERY odd setup.

Traffic coming in has normal source/destination information.  It's then
NATed to 1918 destination space.  When the replies enter the 1605 from
my LAN, they're obviously sourced from 1918 space, headed to the
original sender.  Here is where the problem begins.  I have a few tunnel
interfaces up, going over a wireless network.  The people on the other
end of the tunnel are on other ISPs so they advertise the ISPs blocks to
me.  When someone in one of these blocks tries to reach services on my
network, the reply ends up going through the tunnel, and being NATed to
a different address than what they are expecting the reply from, and the
session fails.

What I was hoping to accomplish with reflexive ACLs and a route-map, was
to force traffic coming in my WAN interface, to exit via my WAN
interface despite there being a quicker path through the WLAN.

Any ideas?

Thanks,

Rob

-----Original Message-----
From: Robert Viau [mailto:rviau at wcom.ca] 
Sent: January 24, 2003 10:36 AM
To: rviau75 at rogers.com
Subject: RE: [nsp] Source-only reflexive ACLs

Hi Robert,

> Does anyone know if there is anyway to have a reflexive ACL 
> built with just
> the source address and port of the triggering packet instead 
> of source and destination?

No, we always build the temporary ACL entry with full source & dest
addr/port information, after all this is what reflexive-acls were built
for (to allow specific sessions only).
What do you want to achieve? 

	oli