cisco router configuration help

[LoudTIGER]

i'm looking at an access control list, and there is a line that says "evaluate estab" after some deny/permit comamnds. what does this line do?

thanks!

 

[nightowl]

The evaluate command is for reflexive access lists. Reflexive ACLs allow traffic that was permitted out to return back into the network even if they are not allowed by an access list.

 

[LoudTIGER]

isn't that what reflect estab does? i think estab is the keyword for packets that aren't tagged with a send or recieve direction.

 

[nightowl]

Nope, it is for reflexive ACLs. Link There is no relflect command that I can find in documentation.

 

[LoudTIGER]

estab is the keyword for packets not tagged w/ the 'syn' bit, right? so evaluate estab would be to allow traffic permitted out to come back in? estab packets do not have a send or receive direction, so there is no way to differentiate which TCP packets are incoming or outgoing.

sorry if the above doesn't make sense. i'm just confused about what this one line does, and it's not clear to me yet.

thanks for all your help.

 

[nightowl]

Ok, I did not understand what you posted the last time. I thought you were referring to a command that started with reflect. That is why I said there was no reflect command. So, for your outbound ACLs you need the reflect command at the end with a name for the reflexive ACL. Then on the inbound ACL you have the evaluate command at the end to evaulate the traffic that you wanted to allow back in after it left the network.

 

[LoudTIGER]

ah okay, that makes a lot of sense to me. sorry for being unclear about the reflect keyword. i meant it was used in a permit rule.

: )

 

[nightowl]

No, problem. It has been a little while since I have used reflexive ACLs and it does not help that I am tired right now too.