Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Configure Reflexive Access Lists

Configure Reflexive Access Lists

Sep 09,2009 by alperen

small font medium font large font
image

Configure Reflexive Access Lists

Reflexive access lists aren’t applied directly to an interface but, instead, are nested into an extended-named IP access list that’s applied to an interface. Because of the concept of nesting, reflexive access lists don’t have the usual implicit deny-all at the end of the list.

Two primary commands need to be configured in building reflexive access lists: the reflect command and the evaluate command. In addition, the ip reflexive-list timeout command is for setting the idle timer.

The reflect Statement

The keyword reflect in a permit statement is the key to creating the return entries in the temporary access list. The reflect statement in an outbound ACL creates the entries in the inbound ACL when packets matching the condition(s) are recognized.

The ACL that contains the reflect statement can also contain regular permit and deny statements, either before or after the reflect statement. If a match occurs, the packet will be processed but won’t trigger a temporary entry in the reflexive access list.

The basic syntax is

Rtr(config)#ip access-list extended name
Rtr(config-ext-nacl)#permit protocol source destination reflect name [timeout seconds]

protocol

Any TCP/IP protocol that can use named extended ACLs

source and destination

Same as any ACL source and destination, including keywords host and any, wildcard masks, and port numbers

name

Name of temporary reflexive ACL to be created

timeout

Optional idle timer for this line only that overrides the absolute timeout set by the ip reflexive-list timeout global configuration command (default is 300 seconds)

Examples follow the discussion of the evaluate statement in the next section.

The evaluate Statement

The evaluate statement is the final configuration entry in another named extended IP access list that partners with the permit/reflect statements previously discussed. The syntax is as follows:

Router(config-ext-nacl)#evaluate name

name

Name of temporary reflexive ACL specified in the permit/reflect statements

The following is a simple example where outgoing TFTP and HTTP traffic is allowed and generates return openings in a temporary ACL called newlist. The Telnet entries in both ACLs are only an example of normal ACL statements that don’t generate entries in newlist.

Internet serial 0
  ip access-group ok-out out
  ip access-group ok-in in
!
ip access-list extended ok-out
  permit tcp any any eq telnet
  permit udp any any eq tftp reflect newlist
  permit tcp any any eq www  reflect newlist
!
ip access-lst extended ok-in
  permit tcp any any eq telnet
  evaluate newlist

Two named access lists, ok-out and ok-in, are applied to the external serial interface. ok-out contains two reflect permit statements, plus a normal Telnet statement. Outbound TFTP and HTTP packets will create entries in a temporary access list named newlist, which reverses the source and destination designations of the outbound packets.

The ok-in evaluate newlist statement incorporates the newlist statements.

The ip Reflexive-list timeout (Seconds) Command

The global mode command ip reflexive-list timeout seconds specifies the length of time reflexive access list statements remain in the ACL if no packets in that session are detected. Each new matching packet rests the timeout timer. If no timeout statement is specified, the default timeout value is 300 seconds. The next example shows changing the idle timeout to two minutes.

External Interface Example

The following is a simple example of a reflexive ACL applied to an external interface allowing the LAN (192.168.0.0) users access to the Internet and the DNS servers.

ip reflexive-list timeout 120
!
Interface serial 0
  ip access-group lan-out out
  ip access-group lan-in in
!
ip access-list extended lan-out
  deny icmp any any
  permit tcp any any eq dns reflect ok-packets timeout 240
  permit tcp any any eq www reflect ok-packets
!
ip access-list extended lan-in
  deny icmp any any
  evaluate ok-packets

The first line changes the global timeout value to two minutes for all reflexive access lists entries on this router that don’t specify their own timeout value. Line nine sets a four-minute idle timer for the DNS packets only.

Internal Interface

The following is a simple example of a reflexive ACL applied to an internal interface allowing the LAN (192.168.0.0) users access to the Internet and the DNS servers. Typically, this implementation would be used if there’s another network (DMZ) of shared servers. Placing the ACL on the external interface would interfere with the outside access to the servers.

Interface ethernet 1
  ip access-group lan-in in
  ip access-group lan-out out
!
ip access-list extended lan-in
  deny icmp any any
  permit tcp any any eq dns reflect ok-packets timeout 120
  permit tcp any any eq www reflect ok-packets timeout 180
!
ip access-list extended lan-out
  deny icmp any any
  evaluate ok-packets

The two permit/reflect entries set their own timeout, two and three minutes, respectively. Without these timeout settings, they would be governed by the global default (300 seconds).


791 times read

Related news
» Viewing Reflexive Access Lists
by alperen posted on Sep 09,2009
» Using Named and Reflexive Access-Lists
by admin posted on Jul 21,2008
» Reflexive Access Lists
by alperen posted on Sep 09,2009
» Display Dynamic Access Lists
by alperen posted on Sep 09,2009
» Reflexive ACLs access-list cisco
by alperen posted on Jul 26,2009
Did you enjoy this article?
1 2 3 4 5
Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00 (total 15 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.