Reflexive ACL
September 3, 2008 at 12:02 pm | In Security | Leave a CommentSample Configuration
R4# ip access-list extended OUTBOUND permit tcp any any eq telnet reflect MIRROR permit tcp any any eq www reflect MIRROR permit icmp any any echo reflect MIRROR permit tcp any any eq bgp reflect MIRROR ip access-list extended INBOUND ! OSPF traffic can not be reflected permit ospf any any evaluate MIRROR deny ip any any log interface Serial1/1 ip access-group INBOUND in ip access-group OUTBOUND out interface Serial1/0.1 point-to-point ip access-group INBOUND in ip access-group OUTBOUND out
By default, locally generated traffic such as ping to outside from within the local router, or BGP traffic will not be subject to the OUTBOUND access-list, and not be reflected. To include local traffic in reflexive ACL so that its return traffic is permitted, we need to route local traffic to a loopback interface. Following config acomplish that goal.
ip access-list extended LOCAL_TRAFFIC permit tcp any any permit icmp any any route-map LOCAL_POLICY permit 10 match ip address LOCAL_TRAFFIC set interface Loopback0 ip local policy route-map LOCAL_TRAFFIC
Setting a Global Timeout Value
Reflexive access list entries expire after no packets in the session have been detected for a certain length of time (the “timeout” period). You can specify the timeout for a particular reflexive access list when you define the reflexive access list. But if you do not specify the timeout for a given reflexive access list, the list will use the global timeout value instead.
The global timeout value is 300 seconds by default. But, you can change the global timeout to a different value at any time.
To change the global timeout value, use the following command in global configuration mode:
R4(config)#ip reflexive-list timeout ? <1-2147483> timeout in seconds R4(config)#ip reflexive-list timeout 300
Verification
R1#ping 150.1.5.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/96/236 ms R1#telnet 150.1.5.5 Trying 150.1.5.5 ... Open R5# R4#sh ip access-list MIRROR Reflexive IP access list MIRROR permit tcp host 150.1.5.5 eq telnet host 150.1.4.4 eq 41848 (29 matches) (time left 286) permit icmp host 150.1.5.5 host 150.1.4.4 (19 matches) (time left 280) permit tcp host 150.1.5.5 eq bgp host 150.1.4.4 eq 17919 (575 matches) (time left 277)
Doc CD Navigation
- Cisco IOS Security Configuration Guide, Release 12.4
- Traffic Filtering, Firewalls, and Virus Detection
- Configuring IP Session Filtering (Reflexive Access Lists)
- Reflexive Access List Configuration Examples
Blog at WordPress.com. | Theme: Pool by Borja Fernandez.
Entries and comments feeds.
