Question on Reflexive ACL's

Unanswered Question
Mar 5th, 2008

Hi All

I have picked up a Cisco 877W router with IOS 12.4 Advanced IP Services to use as my home ADSL router. I currently don't have a separate firewall to use so I am looing to amke the 877 as secure as possible from the outside.

A Forum member pointed me to a link about reflexive ACL's and I have been reading a littel about them. One of the points mentioned is that RACL's don't work well with soem protocols like FTP and mention that you need to use Passive FTP to get around this issue.

I am just wondering if there are any other protocols that I need to be aware of prior to deploying RACL's?

If anybody had some examples of RACL's that they have deployed they could post as a template I would be most greatful. Also if there is anything else I should be aware of please let me know.

Best Regards & TIA,

Michael

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
lamav Wed, 03/05/2008 - 07:58

K;

Reflexive access lists do not work with some applications that use port numbers that change during a session. For example, if the port numbers for a return packet are different from the originating packet, the return packet will be denied, even if the packet is actually part of the same session.

With PIX firewalls, we can use the "fixup protocol" command as a workaround. Some other applications that may cause a problem are SIP, H323, DNS and HTTP.

Please read thins link for information on configuring RACLs.

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html#wp1000996

HTH

If so, please rate this post.

Victor

keeleym@o2.ie Wed, 03/05/2008 - 08:36

Hi Victor

Chees for the response. I had seen that page you linked to. I have been looking around to find out the best way to secure my 877W without limiting my ability to sufr the web.

I want to prevent as much as possible unauthorised access to my router from the Internet.

Best Regards,

Michael

a.cruea1980 Wed, 03/05/2008 - 09:01

I have an RACL on my 1811 at home, and have no problems with FTP or anything. DNS gets through just fine, FTP works just fine.

I'd much rather not post my ACLs up for all to see, but suffice to say, I've never had issues with it.

keeleym@o2.ie Mon, 03/10/2008 - 04:10

Hi There

I wonder if you could give me an idea of how you set up your reflexive ACL's without affecting FTP and without posting sensitive information from your router, please.

I have just applied a reflexive ACL to a home Broadband connection (Cisco 877W) and I can no longer ftp from the system. I get an error about "unable to open data connection", which I assume is to do with the FTP Data port (port 20).

Just windering how you set your RACL's up.

This is what I have done

ip access-list extended outbound-packets

permit tcp any any reflect trafic-temp-list

permit udp any any reflect traffic-temp-list

ip access-list extended inbound-packets

deny icmp any any echo

evaluate traffic-temp-list

interface dialer1

ip access-group outbound-packets out

ip access-group inbound-packets in

Best Regards,

Michael

Actions

This Discussion