Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Reflexive ACL

Hello. I am trying to build a reflexive acl on a 7206 router (Version 12.3(17)) to help secure email without interrupting

any other services, especially ftp. Here is what I have so far:

ip access-list extended internal-smtp

permit tcp 192.168.x.y any host reflect smtp-racl

permit ip any any

ip access-list extended external-acl

<other acl statements>

evaluate smtp-racl

permit tcp any host 216.aaa.bbb.ccc eq smtp

permit tcp any host 216.aaa.bbb.ccc eq www

permit tcp any host 216.aaa.bbb.ccc eq 443

<other acl statements>

deny ip any any

interface serial01

ip access-group internal-smtp out

ip access-group external-acl in

IP addresses refer to inside local and outside global of email server.

Is this going to be effective? Is there a configuration that would be more effective? We do not have CBAC capabilities. Thanks in advance.

3 REPLIES

Re: Reflexive ACL

Hi

Your config needs some slight modifications. I assume you want to create a reflexive access list to track all tcp traffic, not just smtp, originated from the inside (trusted) network. The following config would cause the router create a temporary access list entry for all tcp originated from the inside network. The config that you have in there now would only allow create a temporary ACE for the SMTP traffic defined in your first statement in the ACL named smtp-racl and all other traffic would be dropped on it ways back.

If you have a different requirement please clarify that..

ip access-list extended internal-smtp

permit tcp any any reflect smtp-racl

ip access-list extended external-acl

permit tcp any host 216.aaa.bbb.ccc eq smtp

permit tcp any host 216.aaa.bbb.ccc eq www

permit tcp any host 216.aaa.bbb.ccc eq 443

evaluate smtp-racl

HTH

Sundar

New Member

Re: Reflexive ACL

Sundar - thanks for your response.

Your assumption is correct. However, I am not certain how FTP traffic, both inbound and outbound, would be affected by your configuration. Please advise whether FTP would or would not be affected. Thanks.

Re: Reflexive ACL

Your outbound, from inside to outside, FTP traffic would work fine as the reflexive access list will create a temporary access list entry when the first ftp packets in the session leaves the router and the return traffic will be allowed back in.

However, for traffic originated from outside to inside you need to explicitly allow the traffic on your inbound ACL and outbound ACL. Adding an entry each to the ACL(s) should address your concern.

ip access-list extended external-acl

permit tcp host eq ftp

ip access-list extended internal-smtp

permit ip any any

HTH

Sundar

393
Views
5
Helpful
3
Replies
CreatePlease to create content