IOS not saving evaluate rule in access-list

Question

I have a basic firewall set up on an pretty od IOS in form of

IPv6 access list exterior-in6
  evaluate exterior-reflect sequence 1
  permit ipv6 any host [my external address] sequence 10
  permit tcp any host [my internal address] eq 22 sequence 11
  permit icmp any any sequence 800
  permit udp any any range 6881 6889 sequence 900
  permit tcp any any range 6881 6889 sequence 901
  deny ipv6 any any sequence 1000
IPv6 access list exterior-out6
  permit ipv6 [my internal subnet] any reflect exterior-reflect sequence 10

Unfortunately the

evaluate exterior-reflect sequence 1

line seems to get lost after each reboot, leaving my internal network without access. Any ideas?

score 0 · Accepted Answer · answered Jul 19 '11 at 14:01

This is a bug in IOS. The access list is saved as

sequence 1 evaluate exterior-reflect

but IOS can only parse

evaluate exterior-reflect sequence 1

It's a bug in the configuration syntax parser. I have tested the following IOS images, and they all have this bug:

c7200-advipservicesk9-mz.122-33.SRC3
c7200-advipservicesk9-mz.124-24.T4
c7200-advipservicesk9-mz.151-3.T1.4
c7200-advipservicesk9-mz.151-4.M1

Creating a TAC case...

IOS not saving evaluate rule in access-list

1 Answers1