Reflexive ACL

September 3, 2008 at 12:02 pm | Posted in Security | Leave a comment

Sample Configuration

R4#
ip access-list extended OUTBOUND
 permit tcp any any eq telnet reflect MIRROR
 permit tcp any any eq www reflect MIRROR
 permit icmp any any echo reflect MIRROR
 permit tcp any any eq bgp reflect MIRROR

ip access-list extended INBOUND
 ! OSPF traffic can not be reflected
 permit ospf any any
 evaluate MIRROR
 deny   ip any any log

interface Serial1/1
 ip access-group INBOUND in
 ip access-group OUTBOUND out

interface Serial1/0.1 point-to-point
 ip access-group INBOUND in
 ip access-group OUTBOUND out

By default, locally generated traffic such as ping to outside from within the local router, or BGP traffic will not be subject to the OUTBOUND access-list, and not be reflected. To include local traffic in reflexive ACL so that its return traffic is permitted, we need to route local traffic to a loopback interface. Following config acomplish that goal.

ip access-list extended LOCAL_TRAFFIC
 permit tcp any any
 permit icmp any any
route-map LOCAL_POLICY permit 10
 match ip address LOCAL_TRAFFIC
 set interface Loopback0

ip local policy route-map LOCAL_TRAFFIC

Setting a Global Timeout Value

Reflexive access list entries expire after no packets in the session have been detected for a certain length of time (the “timeout” period). You can specify the timeout for a particular reflexive access list when you define the reflexive access list. But if you do not specify the timeout for a given reflexive access list, the list will use the global timeout value instead.

The global timeout value is 300 seconds by default. But, you can change the global timeout to a different value at any time.

To change the global timeout value, use the following command in global configuration mode:

R4(config)#ip reflexive-list timeout ?   
  <1-2147483>  timeout in seconds

R4(config)#ip reflexive-list timeout 300

Verification

R1#ping 150.1.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/96/236 ms
R1#telnet 150.1.5.5
Trying 150.1.5.5 ... Open
R5#

R4#sh ip access-list MIRROR
Reflexive IP access list MIRROR
     permit tcp host 150.1.5.5 eq telnet host 150.1.4.4 eq 41848 (29 matches) (time left 286)
     permit icmp host 150.1.5.5 host 150.1.4.4  (19 matches) (time left 280)
     permit tcp host 150.1.5.5 eq bgp host 150.1.4.4 eq 17919 (575 matches) (time left 277)

Doc CD Navigation

  • Cisco IOS Security Configuration Guide, Release 12.4
  • Traffic Filtering, Firewalls, and Virus Detection
  • Configuring IP Session Filtering (Reflexive Access Lists)
  • Reflexive Access List Configuration Examples
About these ads

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com. | The Pool Theme.
Entries and comments feeds.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: