Reflexive Access List
1 like325 views
Reflexive access lists allow traffic originating from inside a network while denying traffic from outside. They generate temporary entries to allow return traffic for initiated sessions, unlike standard ACLs which only filter based on ports. Reflexive ACLs should be configured on border routers separating internal and external networks. They can be applied inbound or outbound depending on requirements. When a session starts internally, a temporary entry is added to allow return traffic and is removed after the session ends or a timeout occurs.
Reflexive Access List
- 1. R E F L E X I V E A C C E S S L I S T S W W W. N E T P R OTO CO L X P E R T. I N
- 2. • Reflexive Access Lists are used to allow IP traffic for sessions that originates from inside the network, and deny IP traffic that originates from outside the network. • They seem to be somehow similar to Standard or Extended ACLs that use established keyword to filter traffic based on session, but actually are different. By using established keyword you can filter only TCP sessions but with Reflexive Access Lists you can filter TCP sessions, UDP, ICMP and so on. • Reflexive ACLs should be configured on border routers, that separates internal network from external. • You can apply Reflexive ACL on an internal or external interface, depending on your network requirements.
- 3. HOW AN REFLEXIVE ACCESS LIST WORKS • When an IP upper layer session (for example ICMP, TCP, UDP) is started from inside the network to outside the network, Reflexive Access List generates a temporary entry that will allow traffic (that is part of current initiated session) coming from outside to get in. • The temporary added entry will be removed after the last packet of the session comes in or when a configured timeout timer expires. Reflexive ACLs can’t be applied directly on interface, they are “nested” in an Extended Named ACL that is applied to interface. • Reflexive Access Lists can be attached only to Extended Named IP ACLs.
- 4. • In the topology you can see Local router which is part of internal network, Border router that separates internal and external network, and Remote router that is part of external network. • Reflexive ACL will be configured on Border router and applied to fa 0/1 interface. we have preconfigured interfaces according to topology and a default route added on Local and Remote router to send all unknown traffic to Border router.
- 5. PING TEST BETWEEN LOCAL AND BORDER ROUTER Local • Local#ping 192.168.0.2 • Type escape sequence to abort. • Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds: • !!!!! • Success rate is 100 percent (5/5), round-trip min/avg/max = 24/42/88 ms • Local#
- 6. Remote • Remote#ping 10.0.0.2 • Type escape sequence to abort. • Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds: • !!!!! • Success rate is 100 percent (5/5), round-trip min/avg/max = 20/45/112 ms • Remote# • At this point we can ping Remote from Local and vice versa. After we apply Reflexive Access List on Border router, the only successful ping should be from Local to Remote router.
- 7. Border • ip access-list extended OUTFILTER • permit icmp any any reflect ICMPFILTER timeout 300 • interface FastEthernet0/1 • ip access-group OUTFILTER out • Configuration of ACL is done in global configuration mode. This ACL analyze traffic that goes from inside to outside the network. • The entry “permit icmp any any reflect ICMPFILTER timeout 300” will add an temporary Reflexive Access List entry when it is matched (The Reflexive ACL name in this case will be ICMPFILTER), and will be removed when all packets of this session are returned or when timeout timer expires (300 seconds in this case). • This ACL is applied as outbound. For packets coming from outside, an inbound ACL will be applied, that will evaluate packets against temporary entry.
- 8. • ip access-list extended INFILTER • evaluate ICMPFILTER • interface FastEthernet0/1 • ip access-group INFILTER in • Second ACL is applied as inbound and evaluates packets according to temporary generated Reflexive ACL’s entry
- 9. • Border#show ip access-lists • Reflexive IP access list ICMPFILTER • Extended IP access list INFILTER • 10 evaluate ICMPFILTER • Extended IP access list OUTFILTER • 10 permit icmp any any reflect ICMPFILTER • Border#
- 10. • Local#ping 192.168.0.2 • Type escape sequence to abort. • Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds: • !!!!! • Success rate is 100 percent (5/5), round-trip min/avg/max = 20/36/68 ms • Border#show ip access-lists • Reflexive IP access list ICMPFILTER • permit icmp host 192.168.0.2 host 10.0.0.2 (10 matches) (time left 297) • Extended IP access list INFILTER • 10 evaluate ICMPFILTER • Extended IP access list OUTFILTER • 10 permit icmp any any reflect ICMPFILTER (6 matches) • Now you can see temporary generated entry, which is highlighted with red. One more thing we should do is to check if sessions initiated from outside are denied. We can check this with a ping from Remote to Local
- 11. • Remote#ping 10.0.0.2 • Type escape sequence to abort. • Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds: • UUUUU • Success rate is 0 percent (0/5) • The results are as expected. For protocols such as ICMP or UDP (which are connectionless protocols) the temporary entry is removed when timeout timer expires, but for TCP ( which is connection oriented protocol and keeps track of session state), temporary entry is removed after TCP session ends.