The locally generated traffic from the router doesn't go through the ACL configured on the interface, so it would be some problem for the reflective ACL. The ACL won't allow the return traffic to pass through.
R1------Frame Relay------R2
R1 Configuration:
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
!
interface Serial1/0.1 point-to-point
ip address 10.1.12.1 255.255.255.0
ip access-group inbound in
ip access-group outbound out
frame-relay interface-dlci 102
!
ip access-list extended inbound
permit ospf any any
evaluate TELNET
ip access-list extended outbound
permit ospf any any
permit tcp any any eq telnet reflect TELNET
!
R2 Configuration:
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
!
interface Serial1/0.1 point-to-point
ip address 10.1.12.2 255.255.255.0
frame-relay interface-dlci 201
!
Telnet from R1 to R2 will be timed out.
What you can do is to create a loopback interface on R1 and configure a local PBR to direct the telnet traffic generated from R1 to go to the loopback interface.
R1:
interface Loopback0
ip address 10.10.10.10 255.255.255.255
!
access-list 100 permit tcp any any eq telnet
!
!
!
route-map myPolicy permit 10
match ip address 100
set ip next-hop 10.10.10.10
!
ip local policy route-map myPolicy
!
By doing so, you force the traffic generated from the router to go back into the routing process, and go through the outbound ACL. And the reflective ACL would open a stateful hole for the return traffic.
No comments:
Post a Comment