Sunday, September 11, 2011

Reflexive Access Lists (Filtering with IOS Part 2)



I have R1, R2, and R3, and I want to use reflexive access-lists to effectively help create a security policy that I can apply to R2.

I consider R2's fa0/0 the inside network and R2's s0/0 the outside network. I want to allow all traffic to exit the inside network, but do not want any unsolicited traffic from the outside network to be allowed in. I have RIP running between the three routers, and I want that to remain operational.

To accomplish this, I'll create two access-lists on R2. One for the outbound traffic, and one for the inbound traffic to have the reflexive ACL evaluated.

ip access-list extended DEPARTING
 permit tcp any any reflect TRAFFIC
 permit udp any any reflect TRAFFIC
 permit icmp any any reflect TRAFFIC


ip access-list extended ARRIVING
 permit udp any any eq 520
 evaluate TRAFFIC
 deny ip any any

I'll apply both ACLs to the outside interface on R2 in their respective directions.

interface s0/1
 ip access-group DEPARTING out
 ip access-group ARRIVING in

When I attempt to ping from R3 to R1, I don't receive replies; which is the expected behavior.

R3#ping 10.1.12.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

Before I ping from R1 outbound, here's the result of show ip access-list on R2.

R2#sh ip access-list
Extended IP access list ARRIVING
    10 permit udp any any eq rip (618 matches)
    20 evaluate TRAFFIC
    30 deny ip any any (67 matches)
Extended IP access list DEPARTING
    10 permit tcp any any reflect TRAFFIC
    20 permit udp any any reflect TRAFFIC
    30 permit icmp any any reflect TRAFFIC (20 matches)
Reflexive IP access list TRAFFIC
R2#

I see there are no entries under the reflexive ACL.

Now I'll ping from R1 to R3.

R1#ping 10.1.23.3


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
R1#

I'll now check the ACLs on R2 again.

R2#sh ip access-list TRAFFIC
Reflexive IP access list TRAFFIC
     permit icmp host 10.1.23.3 host 10.1.12.1  (20 matches) (time left 276)
R2#

This time, an entry has been created under the reflexive ACL.

The default timeout for a reflexive ACL is 300 seconds, but I can adjust the time out with the ip refleive-list timeout command. I will change mine to 20 seconds.

R2#
R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip reflexive-list timeout 20
R2(config)#end
R2#

The previous reflexive entry has been cleared, and I'll send another ping to verify that the new timeout behaves as expected.

R2#sh ip access-list TRAFFIC
Reflexive IP access list TRAFFIC
     permit icmp host 10.1.23.3 host 10.1.12.1  (19 matches) (time left 17)
R2#






Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10





No comments:

Post a Comment