Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2263
Views
0
Helpful
0
Comments

Reflexive Access List

athukral
Level 1
Level 1

‎12-05-2011 10:33 PM - edited ‎03-08-2019 06:43 PM

NOTE: Check out

How to Format Your Document from a Templatefor the HTML CODE to copy

 

 

 

 

General Guidelines for Document creation

  • Title of the document: Be specific while giving the Title for the Document. Example

Bad: "Route-tracking feature"

Good: "Configuration and Troubleshooting Route-Tracking feature on FWSM"

  • Make sure that the configurations, screen shots, etc. you use in the document do not contain any confidential or your customer-related information
  • Use the product names in the document in a consistent fashion. Say for example, if you are creating a document on Cisco Unified Communications Manager, Use the same name throughout the document, don’t use Cisco Call manager anywhere in the document.
  • Include the IP addresses in the network diagram for easy reference.
  • The people who read these documents are people who have a problem and need a solution. With that in mind, keep the document as short as possible. Make sure that your document addresses the problem and provides a solution.
  • Do the Spell check before submitting the document.

 

Note: General Guidelines are only for Information. Make sure to delete this section before publishing the Document.

Introduction

 

This document explains the concept of Reflexive access lists.

Prerequisites

Router Running IOS

Network Diagram

Reflexive.JPG

Concept

 

Reflexive access lists allow you to dynamically open up your filtering router to allow reply packets back through, in response to an outbound TCP connection or UDP session initiated from within your network. This mechanism reduces exposure to spoofing and denial-of-service, since desirable inbound flows are mostly in response to outbound traffic.

 

The idea of reflexive ACL is to take a packet flow, extract session information i-e source/destination IP and ports and create dynamic entry in access-list that is applied in opposite direction, to permit the "mirrored" flow. We basically need a named access-list to implement traffic reflection.

Reflexive access list works like a charm with simple protocols like http and telnet. However, complex protocols like FTP open additional data channels which can not be properly intercepted by reflexive access lists.

 

And one another important aspect to keep in mind is reflexive acls have poor scalablity, since routers need to open pinholes on temporary basis and needs to age them out, constantly keeping the track of every new "session".

 

Also router-orignated traffic is not subjected to reflection, unless we use local policy to divert it on a loopback interface to make it ingress.

Ensure that you meet these requirements before you attempt this configuration:

 

 

Configuration

Please provide sample configuration relevant to the document.

Please refer the following example for reflexive acl----

 

In this specific example, we will permit tcp, udp and ICMP traffic from inside to outside network.

 

 

 

 

Internet Router—

 

 

!!!! Outbound access-list, mirror all outbound sessions

 

ip access-list extended OUTBOUND

permit tcp any any reflect MIRROR

permit udp any any reflect MIRROR

permit icmp any any reflect MIRROR

 

 

 

!!!! Ingress ACL, permit only the "returning" packets

 

ip access-list extended INBOUND

evaluate MIRROR

 

Applying the acls on the interface-----

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.0

ip access-group INBOUND in

ip access-group OUTBOUND out

duplex auto

speed auto

end

Verify

 

ROUTER1#show access-lists

Extended IP access list INBOUND

10 evaluate MIRROR

Reflexive IP access list MIRROR

Extended IP access list OUTBOUND

10 permit tcp any any reflect MIRROR

20 permit udp any any reflect MIRROR

30 permit icmp any any reflect MIRROR

 

 

 

Related Information

  • Link 1
  • Link 2

Note:

  • Please provide the relevant Document/Tools link for Reference. Say for example, if you have taken any Product Installation/Configuration Guide as reference for creating this document then you can provide the same link in this section.
  • When you are referring any Tool/link which requires CCO login then Pl mention the same.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents