Reflexive ACL:
The idea is to selectively allow the outside traffic for some
time.
R1------------------------------(fa0/1) R2 (fa0/0)------------------------------R3
(LAN) (INTERNET)
The requirement is R1 and R2 can initiate the traffic
towards R3.
R3 cannot initiate traffic to R1 or R2
We will use reflexive acl to achieve this goal,
Reflexive ACL will have 3 components,
First one to match the interesting traffic from R1,R2 and
apply it to the interface fa0/0
R2(config)#ip access-list
extended LAN_TO_INTERNET
R2(config-ext-nacl)#permit icmp
any any reflect MIRROR_ACL
R2(config)#int fa0/0
R2(config-if)#ip access-group
LAN_TO_INTERNET out
The packets matched by the acl LAN_TO_INTERNET will be reflected into the acl MIRROR_ACL
We can see the contents of the acl, (the acl will get
dynamically updated on seeing the matching traffic for the acl LAN_TO_INTERNET),when I ping R3 from
R1,the acl will get updated as
R2#sh ip access-lists MIRROR_ACL
Reflexive IP access list MIRROR_ACL
permit icmp host 10.23.1.3 host 10.12.1.1 (15 matches) (time left 138)
To apply this reflexive acl, we need to associate it to an
ACL and apply inbound on fa0/0.
R2(config)#ip access-list extend
INTERNET_TO_LAN
R2(config-ext-nacl)#evaluate REFLEX_ACL( can add permit/deny
statements as well)
R2(config)#int fa0/0
R2(config-if)#ip access-group
INTERNET_TO_LAN in
With this configuration, R1 will be able to ping R3 but
not vice versa
R1#ping 10.23.1.3
Sending 5, 100-byte ICMP Echos to
10.23.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),
round-trip min/avg/max = 80/99/128 ms
R1#telnet 10.23.1.3
Trying 10.23.1.3 ...
% Destination unreachable; gateway
or host down
R1 is able to ping R3 but not able to telnet, this is
because we permitted only icmp traffic in the LAN_TO_INTERNET acl.To allow
telnet,lets modify the acl as
R2(config)#ip access-list
extended LAN_TO_INTERNET
R2(config-ext-nacl)#permit tcp any any reflect MIRROR_ACL
If we try to telnet now,
R1#telnet
10.23.1.3
Trying
10.23.1.3 ... Open
User
Access Verification
Password:
R3#
The access-list on R2 will be
R2#sh ip access-lists
Extended IP access list
INTERNET_TO_LAN
10 evaluate MIRROR_ACL
Extended IP access list LAN_TO_INTERNET
10 permit icmp any any reflect MIRROR_ACL (25 matches)
20 permit tcp any any reflect MIRROR_ACL (139 matches)
Reflexive IP access list MIRROR_ACL
permit tcp host 10.23.1.3 eq
telnet host 10.12.1.1 eq 15837 (28 matches) (time left 295)
(The above is reflection of tcp flow source-10.12.1.1,destination-10.23.1.3,source port-15837,
destination port-23)
permit icmp host 10.23.1.3
host 10.12.1.1 (10 matches) (time left
275)
Let’s try the ping from R2,
R2#ping 10.23.1.3
Sending 5, 100-byte ICMP Echos to 10.23.1.3,
timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
It’s failing because locally generated packets will not
be inspected by outbound access-lists, so it will not be reflected under
reflexive access-lists. So R3 replies to the ping will be blocked by the
inbound access-list.
We can use local policy routing to fix this issue.
With local policy routing, we will force the traffic to
reenter the router and be inspected by the outgoing access-lists
Create an access-list that matches the traffic from R2 to R3
R2(config)#ip access-list
extended LOCAL_TRAFFIC
R2(config-ext-nacl)#permit tcp
any any
R2(config-ext-nacl)#permit icmp
any any
Create a route-map that matches the access-list and set output
interface to some loopback
R2(config)#route-map
LOCAL_POLICY 10
R2(config-route-map)#match ip
address LOCAL_TRAFFIC
R2(config-route-map)#set
interface lo100
Apply the route-map in global config
R2(config)#ip local policy
route-map LOCAL_POLICY
The ping should be successful now
R2#ping 10.23.1.3
Sending 5, 100-byte ICMP Echos to
10.23.1.3, timeout is 2 seconds:
.!!!!
