The reflexive access-list is the poor man’s stateful firewall. By default an access-list on a Cisco router doesn’t keep track of any connections. The only thing it cares about is whether an incoming packet matches a certain statement or not. When it matches a statement it will perform an action (permit or deny) and if it doesn’t match…it’ll check the next statement. If none of the statements match it will hit the implicit deny any and the packet will be dropped.
When using the reflexive access-list, your Cisco IOS router will keep track of the outgoing connection(s) and it will automatically allow the return traffic. It’s best to explain this with an example, so let’s take a look at the following topology:
Above we have 3 routers…nothing fancy. Let’s say I want to protect R1 and R2 from whatever traffic R3 might send. I could do this with a very simple but effective access-list:
R2(config)#ip access-list extended 100
R2(config-ext-nacl)#deny ip any any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 100 in
The access-list above will drop all traffic from R3. Problem solved right?
You don’t have to add the “deny ip any any” to an access-list, it’s always there at the bottom but invisible. An advantage of adding it is that you will see the number of packets that are dropped this way.
Now what if there’s a HTTP server behind R3 that I want to reach from R1?
R1#telnet 192.168.23.3 80
Trying 192.168.23.3, 80 ...
% Connection timed out; remote host not responding
Perhaps our network is a bit too secure….The packets from R1 will make it to R3 but the return traffic will be dropped. If I want to allow this return traffic, I have to punch a hole in that access-list that I just created. There’s a better method, and that’s the reflexive access-list…let’s take a look.
Configuration
Forget about the access-list that I just created, we start with fresh routers that don’t have any access-lists applied to them.
I’m going to create an access-list that will track all outgoing connections, this is how we do it:
R2(config)#ip access-list extended OUTBOUND
R2(config-ext-nacl)#permit ip any any reflect EVALUATE
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group OUTBOUND out
Above you seen an access-list called OUTBOUND that will permit everything but I’ve added the reflect keyword. This means that the router keeps track of this outgoing connection and it will automatically create a statement for the return traffic. It will save this statement in a temporary access-list called EVALUATE. We are halfway done, there’s one more access-list to create:
R2(config)#ip access-list extended INBOUND
R2(config-ext-nacl)#evaluate EVALUATE
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group INBOUND in
Above you see an access-list called INBOUND that has two statements. The first statement with the evaluate keyword will check our temporary-access list to see if there is any return traffic that should be permitted. All other traffic will be denied by the implicit deny any.Let’s see if this will work:
Verification
I’ll connect to TCP port 80 on R3 from R1:
R1#telnet 192.168.23.3 80
Trying 192.168.23.3, 80 ... Open
It says ‘open’ so it’s able to connect. Let’s check the access-list on R2:
R2#show access-lists
Reflexive IP access list EVALUATE
permit tcp host 192.168.23.3 eq www host 192.168.12.1 eq 20135 (6 matches) (time left 270)
Extended IP access list INBOUND
10 evaluate EVALUATE
Extended IP access list OUTBOUND
10 permit ip any any reflect EVALUATE (4 matches)
above you see the temporary access-list called EVALUATE and the statement that the router added for us. This allows the return traffic from R3 to R1. This statement will be there only for 270 more seconds.
This is the only traffic that can pass from R3 to R1, everything else will be denied…
I hope this example has helped you to understand the reflexive access-list! Any questions?
No comments:
Post a Comment