The example is
of a re?¬‚exive ACL that permits Internet Control Message Protocol (ICMP) outbound and inbound
traf?¬?c, while it permits only TCP traf?¬?c that has initiated from inside. All other traf?¬?c is denied.
The following con?¬?guration causes the router to keep track of traf?¬?c that was initiated from inside:
RouterX(config)#iipp aacccceessss--lliisstt eexxtteennddeedd oouuttbboouunnddffiilltteerrss
RouterX(config-ext-nacl)#ppeerrmmiitt iiccmmpp 1100..11..11..00 00..00..00..225555 117722..1166..11..00 00..00..00..22555
RouterX(config-ext-nacl)#ppeerrmmiitt ttccpp 1100..11..11..00 00..00..00..225555 117722..1166..11..00 00..00..00..225555 rreefflleecctt
ttccppttrraaffffiicc
The next con?¬?guration creates an inbound policy that requires the router to check incoming traf?¬?c
to see whether it was initiated from inside and ties the re?¬‚exive ACL part of the outbound?¬?lters
ACL, called tcptraf?¬?c, to the inbound?¬?lters ACL:
RouterX(config)#iipp aacccceessss--lliisstt eexxtteennddeedd iinnbboouunnddffiilltteerrss
Router(config-ext-nacl)#ppeerrmmiitt iiccmmpp 117722..1166..11..00 00..00..00..225555 1100..11..11..00 00..00..00..22555 eevvaalluuaattee
ttccppttrraaffffiicc
The con?¬?guration in Example 6-1 applies to both an inbound and an outbound ACL to the
interface.
Pages:
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332