Re: Reflexive access-list

From: Carlos G Mendioroz (tron@xxxxxxxxxxx)
Date: Wed May 15 2002 - 13:43:38 GMT-3

• Next message: Jonathan Hays: "RE: how to shutdown the aux?"
• Previous message: Dennis Laganiere: "RE: CCIE lab setup"
• Maybe in reply to: Bezverkhi, Serguei: "Reflexive access-list"
• Next in thread: elpingu: "Re: Reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Serguei,

reflexive access lists are dynamic access lists created after you
detect initial connection packets to permit the returning traffic,
much like the tcp "established" keyword for tcp but not restricted to
tcp (i.e. you can use them with udp)

There are 2 ACLs involved. The "inspecting" one, applied to traffic
that is allowed to go (that is, in the origen to destination way)
and the "backwards" one, in the reverse way.

There is also de dynamic one, that is constructed on the fly by
the hits on the "inspecting" and they become part of the
"backwards" one because of the eval statement (that should be first).

Syntax:
for the inspecting side:

ip access-list extended cbac-ins
        permit udp host 10.0.0.1 eq 53 any reflect cbac-dyn

where cbac-ins is just a name. (CBAC for contents based access control
is
more than reflexive access lists, but not that much more IMHO).

Then in your backwards side:

ip access-list extended cbac-bac
        evaluate cbac-dyn

and lastly, you have to apply those in some interface that catches your
traffic
in each direction.

This example would let your dns at host 10.0.0.1 to query external dns
servers,
but external hosts and or servers would not be able to query it (if you
fill in the blanks, that is)

One tip: If the backwards ACL only has the evaluate in it, you'll run
into a
peculiar side effect: When the reflexive ACL is empty, the whole ACL is
empty
and then everything is let through. But as soon as there is one entry in
the
reflexive ACL, then the backwards ACL will deny anything but the
returning
traffic for the "hit". Something to have in mind...

HTH,
-tron
        

"Bezverkhi, Serguei" wrote:
>
> Hello guys,
>
> I am looking for some guidelines for configuring Reflexive access-lists.
> I have tried some examples from Cisco Security configuration guide it
> did not work. So I would really appreciate your help on this.
>
> Thank you in advance
>
>
> Serguei Bezverkhi
> Technical Consultant
> HP Services
> Hewlett-Packard (Canada) Ltd.
>
> 514.856.6347 phone
> 514.856.6333 fax
> 514.9278254 mobile
>
> Serguei.Bezverkhi@hp.com

• Next message: Jonathan Hays: "RE: how to shutdown the aux?"
• Previous message: Dennis Laganiere: "RE: CCIE lab setup"
• Maybe in reply to: Bezverkhi, Serguei: "Reflexive access-list"
• Next in thread: elpingu: "Re: Reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:57 GMT-3