Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
5
Helpful
3
Replies

Reflexive ACL

pdriscoll
Level 1
Level 1

‎03-28-2007 10:14 AM - edited ‎03-11-2019 02:53 AM

Hello. I am trying to build a reflexive acl on a 7206 router (Version 12.3(17)) to help secure email without interrupting

any other services, especially ftp. Here is what I have so far:

ip access-list extended internal-smtp

permit tcp 192.168.x.y any host reflect smtp-racl

permit ip any any

ip access-list extended external-acl

<other acl statements>

evaluate smtp-racl

permit tcp any host 216.aaa.bbb.ccc eq smtp

permit tcp any host 216.aaa.bbb.ccc eq www

permit tcp any host 216.aaa.bbb.ccc eq 443

<other acl statements>

deny ip any any

interface serial01

ip access-group internal-smtp out

ip access-group external-acl in

IP addresses refer to inside local and outside global of email server.

Is this going to be effective? Is there a configuration that would be more effective? We do not have CBAC capabilities. Thanks in advance.

Labels:
0 Helpful
3 Replies 3

sundar.palaniappan
Level 10
Level 10

‎03-28-2007 12:22 PM

Hi

Your config needs some slight modifications. I assume you want to create a reflexive access list to track all tcp traffic, not just smtp, originated from the inside (trusted) network. The following config would cause the router create a temporary access list entry for all tcp originated from the inside network. The config that you have in there now would only allow create a temporary ACE for the SMTP traffic defined in your first statement in the ACL named smtp-racl and all other traffic would be dropped on it ways back.

If you have a different requirement please clarify that..

ip access-list extended internal-smtp

permit tcp any any reflect smtp-racl

ip access-list extended external-acl

permit tcp any host 216.aaa.bbb.ccc eq smtp

permit tcp any host 216.aaa.bbb.ccc eq www

permit tcp any host 216.aaa.bbb.ccc eq 443

evaluate smtp-racl

HTH

Sundar

0 Helpful

pdriscoll
Level 1
Level 1
In response to sundar.palaniappan

‎03-28-2007 12:48 PM

Sundar - thanks for your response.

Your assumption is correct. However, I am not certain how FTP traffic, both inbound and outbound, would be affected by your configuration. Please advise whether FTP would or would not be affected. Thanks.

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to pdriscoll

‎03-28-2007 12:58 PM

Your outbound, from inside to outside, FTP traffic would work fine as the reflexive access list will create a temporary access list entry when the first ftp packets in the session leaves the router and the return traffic will be allowed back in.

However, for traffic originated from outside to inside you need to explicitly allow the traffic on your inbound ACL and outbound ACL. Adding an entry each to the ACL(s) should address your concern.

ip access-list extended external-acl

permit tcp host eq ftp

ip access-list extended internal-smtp

permit ip any any

HTH

Sundar

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card