{"id":373,"date":"2011-01-19T10:26:14","date_gmt":"2011-01-19T09:26:14","guid":{"rendered":""},"modified":"2018-11-01T10:34:30","modified_gmt":"2018-11-01T09:34:30","slug":"configuring-reflexive-acl-ip-session-filtering","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/configuring-reflexive-acl-ip-session-filtering\/","title":{"rendered":"Configuring reflexive ACL (IP session filtering)"},"content":{"rendered":"

\n\tIn this article I will configure reflexive ACL. This technique is described during CCNA4 Exploration, and I'm using it during the lab exercises.<\/p>\n

\n\tAbout Reflexive ACL (IP session filtering)<\/h2>\n

\n\tDescription from the cisco web, regarding IOS 15.1<\/a>.<\/p>\n

\n\tReflexive access lists allow IP packets to be filtered based on upper-layer session information. You can use reflexive access lists to permit IP traffic for sessions originating from within your network but to deny IP traffic for sessions originating from outside your network. This is accomplished by reflexive filtering, a kind of session filtering.<\/cite><\/p>\n

\n\tReflexive access lists can be defined with extended named IP access lists only. You cannot define reflexive access lists with numbered or standard named IP access lists or with other protocol access lists.<\/cite><\/p>\n

\n\tYou can use reflexive access lists in conjunction with other standard access lists and static extended access lists.<\/cite><\/p>\n

\n\tReflexive access lists are an important part of securing your network against network hackers, and can be included in a firewall defense. Reflexive access lists provide a level of security against spoofing and certain denial-of-service attacks. Reflexive access lists are simple to use, and, compared to basic access lists, provide greater control over which packets enter your network. <\/span><\/cite><\/p>\n

\n\tHowever, reflexive access lists have significant differences from other types of access lists. Reflexive access lists contain only temporary entries; these entries are automatically created when a new IP session begins (for example, with an outbound packet), and the entries are removed when the session ends. Reflexive access lists are not themselves applied directly to an interface, but are "nested" within an extended named IP access list that is applied to the interface. Also, reflexive access lists do not have the usual implicit "deny all traffic" statement at the end of the list, because of the nesting. <\/span><\/cite><\/p>\n

\n\tTopology<\/cite><\/h2>\n

\n\tIn this example I will use following topology with stub network connected using one router 18xx series through NAT to the public Internet . Router will have only basic configuration (IP adresses, names, NAT).<\/p>\n

\n\t |—-FA0\/0-(1.0.0.0\/24)—-|NAT<\/span>|—-fa0\/1—-(158.193.139.0\/24)—-\/ Internet \/<\/p>\n

\n\t <\/p>\n

\n\tBasic router configuration<\/h2>\n
\r\nhostname nat\r\n!\r\ninterface FastEthernet0\/0\r\n ip address 1.0.0.1 255.255.255.0\r\n ip nat inside\r\n ip virtual-reassembly\r\n duplex auto\r\n speed auto\r\n!\r\n!\r\ninterface FastEthernet0\/1\r\n ip address 158.193.139.211 255.255.255.0\r\n ip nat outside\r\n ip virtual-reassembly\r\n duplex auto\r\n speed auto\r\n!\r\nip nat inside source list NAT interface FastEthernet0\/1 overload\r\n!\r\nip access-list standard NAT\r\n permit 1.0.0.0 0.0.0.255\r\n!\r\nip route 0.0.0.0 0.0.0.0 FastEthernet0\/1 158.193.139.1\r\n<\/pre>\n
\n\tState of the interfaces is ok, dynamic address has been assigned from the public network. Everything is working.<\/p>\n
\n\tConfiguring Reflexive ACL<\/h2>\n
\n\tThe configuration differ from internal (protected) and external interface point of view and it depend on the placement of the acl. For more detail see the article from cisco web<\/a>. In my example I have internal interface Fa0\/0 which becomes to protected internal network, and I will aplly ACL on external Fa0\/1 interface, which connect me to the Internet.<\/p>\n
\n\t1. As the first step we will define reflexive ACL, which will adds dynamic session entries into extended acl for traffic originating in internal network and directed to the external nets (internet).<\/p>\n
\n\tThe ip extended acl will be used for this, applied on the external interface for <\/span>outbound direction<\/strong>.<\/p>\n
\r\nnat(config)#ip access-list extended EXTERNAL_OUT\r\nnat(config-ext-nacl)#permit tcp any any reflect TCP_TRAFFIC\r\n<\/pre>\n
\n\tThe first line specify main ip extended acl, which contain the definition of the reflexive ACL (the second line). Definition of the reflexive ACL will cause (in this example) adding dynamic session entries into ACL for tcp sessions flowing from internal net to the extenal targets. The second line may be builted up as is usuall for extend ACL, so we may change protocol, source and destination address conditions and source and destination ports.<\/p>\n
\n\t2. Now we define second ip extended acl, which will be used on external interface for inbound drirection. This ACL will compare incoming traffic against entries builded when traffic leaves internal network. The EXTERNAL_IN acl will nest the reflexive acl.
\n\t <\/p>\n
\r\nnat(config)#ip access-list extended EXTERNAL_IN\r\nnat(config-ext-nacl)#evaluate TCP_TRAFFIC\r\n<\/pre>\n
\n\tthis ACL may contain other entries as usually acl may do.<\/p>\n
\n\t3. Apply ip extended acl on right interface in correct direction, in my case<\/p>\n
\r\nnat(config)#int fa 0\/1\r\nnat(config-if)#ip access-group EXTERNAL_IN in\r\nnat(config-if)#ip access-group  EXTERNAL_OUT out\r\n<\/pre>\n
\n\t4. Define global timeout how long dynamic reflexive entries will be valid for (in second).<\/p>\n
\r\nnat(config)#ip reflexive-list timeout 120\r\n<\/pre>\n
\n\t <\/p>\n
\n\tVerifying the ACL<\/strong><\/p>\n
\n\tAs we usually do, sh access-lists<\/strong><\/em>, sh ip access-lists<\/strong><\/em>.<\/p>\n
\n\tWhen we originate some tcp traffic (http), the reflexive acl entry will be added<\/p>\n
\r\nnat#sh ip access-lists Extended IP access list EXTERNAL_IN\r\n    10 evaluate TCP_TRAFFIC\r\nExtended IP access list EXTERNAL_OUT\r\n    10 permit tcp any any reflect TCP_TRAFFIC (49 matches<\/span>) <\/strong>Reflexive IP access list TCP_TRAFFIC\r\n     permit tcp host 74.125.39.102 eq www host 158.193.139.211 eq 2175 (3 matches) (time left 118)<\/span>\r\n<\/pre>\n
\n\tIn case of this example be carefull, such acl as are defined here allows to flow only TCP traffic iniating flowing from in to out and respective answers backs. No other traffic will be allowed, as for example icmp (for pinging), or DNS for resolving, besause it use ICMP or UDP protocols. To allow working we have to modify ACLs to reflect requreid apllications flows.<\/p>\n
\n\tFor testing only I simply adds dns support<\/p>\n
\r\nStandard IP access list NAT\r\n    10 permit 1.0.0.0, wildcard bits 0.0.0.255 (1123 matches)\r\nReflexive IP access list DNS_TRAFFIC\r\nExtended IP access list EXTERNAL_IN\r\n    10 evaluate TCP_TRAFFIC\r\n    20 evaluate DNS_TRAFFIC\r\nExtended IP access list EXTERNAL_OUT\r\n    10 permit tcp any any reflect TCP_TRAFFIC (1416 matches)\r\n    20 permit udp any any eq domain reflect DNS_TRAFFIC (63 matches)\r\nReflexive IP access list TCP_TRAFFIC\r\n<\/pre>\n
\n\tand when I generated some dns and tcp flows we may see reflexive entries.<\/p>\n
\r\nnat#sh ip access-lists\r\nStandard IP access list NAT\r\n    10 permit 1.0.0.0, wildcard bits 0.0.0.255 (1170 matches)\r\nReflexive IP access list DNS_TRAFFIC\r\n     permit udp host 158.193.152.2 eq domain host 158.193.139.211 eq 63625 (1 match) (time left 119)\r\n     permit udp host 158.193.152.2 eq domain host 158.193.139.211 eq 63079 (2 matches) (time left 119)\r\n     permit udp host 158.193.152.2 eq domain host 158.193.139.211 eq 63649 (2 matches) (time left 119)\r\n     permit udp host 158.193.152.2 eq domain host 158.193.139.211 eq 50439 (2 matches) (time left 119)\r\n     permit udp host 158.193.152.2 eq domain host 158.193.139.211 eq 62277 (2 matches) (time left 119)\r\nExtended IP access list EXTERNAL_IN\r\n    10 evaluate TCP_TRAFFIC\r\n    20 evaluate DNS_TRAFFIC\r\nExtended IP access list EXTERNAL_OUT\r\n    10 permit tcp any any reflect TCP_TRAFFIC (1811 matches)\r\n    20 permit udp any any eq domain reflect DNS_TRAFFIC (217 matches)\r\nReflexive IP access list TCP_TRAFFIC\r\n     permit tcp host 193.170.140.87 eq www host 158.193.139.211 eq 2268 (7 matches) (time left 119)\r\n     permit tcp host 65.55.149.122 eq www host 158.193.139.211 eq 2267 (6 matches) (time left 119)\r\n     permit tcp host 65.55.239.163 eq www host 158.193.139.211 eq 2266 (6 matches) (time left 118)\r\n     permit tcp host 157.55.40.126 eq www host 158.193.139.211 eq 2264 (6 matches) (time left 116)\r\n     permit tcp host 193.170.140.78 eq www host 158.193.139.211 eq 2263 (88 matches) (time left 117)\r\n     permit tcp host 193.170.140.78 eq www host 158.193.139.211 eq 2262 (23 matches) (time left 117)\r\n     permit tcp host 193.170.140.78 eq www host 158.193.139.211 eq 2261 (42 matches) (time left 115)\r\n     permit tcp host 193.170.140.87 eq www host 158.193.139.211 eq 2258 (10 matches) (time left 109)\r\n     \r\n<\/pre>\n
\n\t <\/p>","protected":false},"excerpt":{"rendered":"
\n\tIn this article I will configure reflexive ACL. This technique is described during CCNA4 Exploration, and I'm using it during the lab exercises.<\/p>\n
\n\tAbout Reflexive ACL (IP session filtering)<\/h2>\n
\n\tDescription from the cisco web, regarding IOS 15.1<\/a>.<\/p>","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[697,765],"tags":[],"class_list":["post-373","post","type-post","status-publish","format-standard","hentry","category-ccna-en","category-security-en"],"taxonomy_info":{"category":[{"value":697,"label":"CCNA"},{"value":765,"label":"Security"}]},"featured_image_src_large":false,"author_info":{"display_name":"admin","author_link":"https:\/\/nil.uniza.sk\/en\/author\/admin\/"},"comment_info":9,"category_info":[{"term_id":697,"name":"CCNA","slug":"ccna-en","term_group":0,"term_taxonomy_id":695,"taxonomy":"category","description":"","parent":695,"count":12,"filter":"raw","cat_ID":697,"category_count":12,"category_description":"","cat_name":"CCNA","category_nicename":"ccna-en","category_parent":695},{"term_id":765,"name":"Security","slug":"security-en","term_group":0,"term_taxonomy_id":763,"taxonomy":"category","description":"","parent":747,"count":3,"filter":"raw","cat_ID":765,"category_count":3,"category_description":"","cat_name":"Security","category_nicename":"security-en","category_parent":747}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=373"}],"version-history":[{"count":0,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/373\/revisions"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}