Hi Group,
In Task 13.3 the PG says that a solution with reflexive ACL will not work
because 2800ISR will not support it. Well, my 2811 with 12.4(18) seems to
support it so I tried seems to be fun :o))
Basically the reflexive ACL works but I have a problem with the NAT
configured earlier. When I try to ping from Switch 2 (150.50.4.13) to R7
(200.0.0.7), than R8 translates this address to 150.50.5.3 as the source and
send the request to R7. He replies to R8 with the destination of 150.50.5.3
which will be dropped at the incoming evaluate ACL.
How can I solve this problem? How can the incoming reflect ACL on R8 know
about the NAT translation? To me, this scenario is not possible
Any
ideas???
Below the necessary outputs of R8:
R8(config-if)#do sh ip access-list
Reflexive IP access list MyStuff
permit icmp host 200.0.0.7 host 150.50.4.13 (18 matches) (time left
298)
Extended IP access list R8-Serial
10 permit ospf any any (46 matches)
20 evaluate MyStuff
30 deny ip any any log (8 matches)
Extended IP access list R8-FastEth
10 permit ip any any reflect MyStuff (47 matches)
R8(config-if)#do sh
*Apr 12 12:55:20.686: %SEC-6-IPACCESSLOGDP: list R8-Serial denied icmp
200.0.0.7 -> 150.50.5.3 (0/0), 5 packets
R8(config-if)#do sh ip nat nvi trans
Pro Source global Source local Destin local Destin global
icmp 150.50.5.3:32 150.50.4.13:32 200.0.0.7:32 200.0.0.7:32
--- 150.50.5.3
Thanks
Roger
