Žilinská univerzita > Fakulta riadenia a informatiky > Katedra informačných sietí

Configuring reflexive ACL (IP session filtering)

In this article I will configure reflexive ACL. This technique is described during CCNA4 Exploration, and I'm using it during the lab exercises.

About Reflexive ACL (IP session filtering)

Description from the cisco web, regarding IOS 15.1.

Reflexive access lists allow IP packets to be filtered based on upper-layer session information. You can use reflexive access lists to permit IP traffic for sessions originating from within your network but to deny IP traffic for sessions originating from outside your network. This is accomplished by reflexive filtering, a kind of session filtering.

Reflexive access lists can be defined with extended named IP access lists only. You cannot define reflexive access lists with numbered or standard named IP access lists or with other protocol access lists.

You can use reflexive access lists in conjunction with other standard access lists and static extended access lists.

Reflexive access lists are an important part of securing your network against network hackers, and can be included in a firewall defense. Reflexive access lists provide a level of security against spoofing and certain denial-of-service attacks. Reflexive access lists are simple to use, and, compared to basic access lists, provide greater control over which packets enter your network.

However, reflexive access lists have significant differences from other types of access lists. Reflexive access lists contain only temporary entries; these entries are automatically created when a new IP session begins (for example, with an outbound packet), and the entries are removed when the session ends. Reflexive access lists are not themselves applied directly to an interface, but are "nested" within an extended named IP access list that is applied to the interface. Also, reflexive access lists do not have the usual implicit "deny all traffic" statement at the end of the list, because of the nesting.

Topology

In this example I will use following topology with stub network connected using one router 18xx series through NAT to the public Internet . Router will have only basic configuration (IP adresses, names, NAT).

 |----FA0/0-(1.0.0.0/24)----|NAT|----fa0/1----(158.193.139.0/24)----/ Internet /

 

Basic router configuration

hostname nat
!
interface FastEthernet0/0
 ip address 1.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
interface FastEthernet0/1
 ip address 158.193.139.211 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip nat inside source list NAT interface FastEthernet0/1 overload
!
ip access-list standard NAT
 permit 1.0.0.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 158.193.139.1

State of the interfaces is ok, dynamic address has been assigned from the public network. Everything is working.

Configuring Reflexive ACL

The configuration differ from internal (protected) and external interface point of view and it depend on the placement of the acl. For more detail see the article from cisco web. In my example I have internal interface Fa0/0 which becomes to protected internal network, and I will aplly ACL on external Fa0/1 interface, which connect me to the Internet.

1. As the first step we will define reflexive ACL, which will adds dynamic session entries into extended acl for traffic originating in internal network and directed to the external nets (internet).

The ip extended acl will be used for this, applied on the external interface for outbound direction.

nat(config)#ip access-list extended EXTERNAL_OUT
nat(config-ext-nacl)#permit tcp any any reflect TCP_TRAFFIC

The first line specify main ip extended acl, which contain the definition of the reflexive ACL (the second line). Definition of the reflexive ACL will cause (in this example) adding dynamic session entries into ACL for tcp sessions flowing from internal net to the extenal targets. The second line may be builted up as is usuall for extend ACL, so we may change protocol, source and destination address conditions and source and destination ports.

2. Now we define second ip extended acl, which will be used on external interface for inbound drirection. This ACL will compare incoming traffic against entries builded when traffic leaves internal network. The EXTERNAL_IN acl will nest the reflexive acl.
 

nat(config)#ip access-list extended EXTERNAL_IN
nat(config-ext-nacl)#evaluate TCP_TRAFFIC

this ACL may contain other entries as usually acl may do.

3. Apply ip extended acl on right interface in correct direction, in my case

nat(config)#int fa 0/1
nat(config-if)#ip access-group EXTERNAL_IN in
nat(config-if)#ip access-group  EXTERNAL_OUT out

4. Define global timeout how long dynamic reflexive entries will be valid for (in second).

nat(config)#ip reflexive-list timeout 120

 

Verifying the ACL

As we usually do, sh access-lists, sh ip access-lists.

When we originate some tcp traffic (http), the reflexive acl entry will be added

nat#sh ip access-lists Extended IP access list EXTERNAL_IN
    10 evaluate TCP_TRAFFIC
Extended IP access list EXTERNAL_OUT
    10 permit tcp any any reflect TCP_TRAFFIC (49 matches) Reflexive IP access list TCP_TRAFFIC
     permit tcp host 74.125.39.102 eq www host 158.193.139.211 eq 2175 (3 matches) (time left 118)

In case of this example be carefull, such acl as are defined here allows to flow only TCP traffic iniating flowing from in to out and respective answers backs. No other traffic will be allowed, as for example icmp (for pinging), or DNS for resolving, besause it use ICMP or UDP protocols. To allow working we have to modify ACLs to reflect requreid apllications flows.

For testing only I simply adds dns support

Standard IP access list NAT
    10 permit 1.0.0.0, wildcard bits 0.0.0.255 (1123 matches)
Reflexive IP access list DNS_TRAFFIC
Extended IP access list EXTERNAL_IN
    10 evaluate TCP_TRAFFIC
    20 evaluate DNS_TRAFFIC
Extended IP access list EXTERNAL_OUT
    10 permit tcp any any reflect TCP_TRAFFIC (1416 matches)
    20 permit udp any any eq domain reflect DNS_TRAFFIC (63 matches)
Reflexive IP access list TCP_TRAFFIC

and when I generated some dns and tcp flows we may see reflexive entries.

nat#sh ip access-lists
Standard IP access list NAT
    10 permit 1.0.0.0, wildcard bits 0.0.0.255 (1170 matches)
Reflexive IP access list DNS_TRAFFIC
     permit udp host 158.193.152.2 eq domain host 158.193.139.211 eq 63625 (1 match) (time left 119)
     permit udp host 158.193.152.2 eq domain host 158.193.139.211 eq 63079 (2 matches) (time left 119)
     permit udp host 158.193.152.2 eq domain host 158.193.139.211 eq 63649 (2 matches) (time left 119)
     permit udp host 158.193.152.2 eq domain host 158.193.139.211 eq 50439 (2 matches) (time left 119)
     permit udp host 158.193.152.2 eq domain host 158.193.139.211 eq 62277 (2 matches) (time left 119)
Extended IP access list EXTERNAL_IN
    10 evaluate TCP_TRAFFIC
    20 evaluate DNS_TRAFFIC
Extended IP access list EXTERNAL_OUT
    10 permit tcp any any reflect TCP_TRAFFIC (1811 matches)
    20 permit udp any any eq domain reflect DNS_TRAFFIC (217 matches)
Reflexive IP access list TCP_TRAFFIC
     permit tcp host 193.170.140.87 eq www host 158.193.139.211 eq 2268 (7 matches) (time left 119)
     permit tcp host 65.55.149.122 eq www host 158.193.139.211 eq 2267 (6 matches) (time left 119)
     permit tcp host 65.55.239.163 eq www host 158.193.139.211 eq 2266 (6 matches) (time left 118)
     permit tcp host 157.55.40.126 eq www host 158.193.139.211 eq 2264 (6 matches) (time left 116)
     permit tcp host 193.170.140.78 eq www host 158.193.139.211 eq 2263 (88 matches) (time left 117)
     permit tcp host 193.170.140.78 eq www host 158.193.139.211 eq 2262 (23 matches) (time left 117)
     permit tcp host 193.170.140.78 eq www host 158.193.139.211 eq 2261 (42 matches) (time left 115)
     permit tcp host 193.170.140.87 eq www host 158.193.139.211 eq 2258 (10 matches) (time left 109)
     

 

Groups: