Wednesday, February 22, 2012

REFLEXIVE ACL

REFLEXIVE ACL

  • These add simple version of state tracking to ACLS
  • Outbound traffic put a mirror entry in statetable for reply traffic to use
  • the inbound traffic is checked against the statetable before checking the access-list on the interface if in statetable can process without checking inbound acl
  • There is no application level inspection on the traffic
  • local traffic does not go throught the outbound acl so does not have state entry in the statetable so we need to consider this for routing protocols etc
Commands
 
outbound-
ip access-list 101 permit tcp any any reflect STATETABLE
 
inbound
ip access-list extended
evaluate STATETABLE

LAB
----

 

 
R5
---

 
Ok so we want to allow out traffic sourced from inside our network so from sw2 out but we also want to recieve replies for the traffic we generated but we do not want outside or network to be able to iniate connection

 
Ok so we create access-list for going out saying allow tcp and mirror the flow into the statetable so we can get return traffic in reference to that flow
r5(config)#ip access-list extended OUTSIDE_OUTBOUND
r5(config-ext-nacl)#permit tcp any any reflect STATETABLE
r5(config-ext-nacl)#permit udp any any reflect STATETABLE
r5(config-ext-nacl)#permit icmp any any reflect STATETABLE
r5(config-ext-nacl)#

 
ok so inbound we are saying first evaluate the statetable if not there deny we have put in allow eigrp any any to keep the underlying igp up
r5(config)#ip access-list extended OUTSIDE_INBOUND
r5(config-ext-nacl)#evaluate STATETABLE
r5(config-ext-nacl)#permit eigrp any any
r5(config-ext-nacl)#deny ip any any
r5(config-ext-nacl)#

 
ok so we apply to the interfaces
r5(config)#int s0/0/0
r5(config-if)#ip access-group OUTSIDE_OUTBOUND out
r5(config-if)#ip access-group OUTSIDE_INBOUND in
r5(config-if)#exit
r5(config)#

 

 
s2
---
s2>en
s2#telnet 2.1.1.1
Trying 2.1.1.1 ... Open

 
User Access Verification
Password:
s1>

 
s2#ping 2.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 59/67/75 ms
s2#

 
s1
---
s1#telnet 22.2.2.2
Trying 22.2.2.2 ...
% Destination unreachable; gateway or host down
s1#ping 22.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.2.2.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
s1#
so this is working as expected we can ping and telnet from s2 but we can not originate traffic from s1 to s2

 
r5
---
r5#sh ip access-list OUTSIDE_INBOUND
Extended IP access list OUTSIDE_INBOUND
    10 evaluate STATETABLE
    20 permit eigrp any any (411 matches)
    30 deny ip any any (345 matches)
r5#sh ip access-list OUTSIDE_OUTBOUND
Extended IP access list OUTSIDE_OUTBOUND
    10 permit tcp any any reflect STATETABLE (54 matches)
    20 permit udp any any reflect STATETABLE
    30 permit icmp any any reflect STATETABLE (11 matches)
r5#
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)