RE: Reflexive ACL vs Telnet established

From: Carlos Campos Torres \(ccampost\) (ccampost@cisco.com)
Date: Wed Jun 07 2006 - 16:02:56 ART

• Next message: Elias Chari: "Re: Reflexive ACL vs Telnet established"
• Previous message: Ben: "Re: Reflexive ACL vs Telnet established"
• Maybe in reply to: Carlos Campos Torres \(ccampost\): "Reflexive ACL vs Telnet established"
• Next in thread: Elias Chari: "Re: Reflexive ACL vs Telnet established"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yup, I was reading on that and I totally agree, just wondering if I had
something like that for exam purposes if the result would be the same (I
think it would at the end, one more secure than the other though).

Thanks Ben and Savjani for replying,

Carlos Campos CCNP, CCDP
Associate Systems Engineer
Cisco Systems, Inc
(919) 392-6285
 

-----Original Message-----
From: Ben [mailto:ccieben@cox.net]
Sent: Wednesday, June 07, 2006 3:00 PM
To: Carlos Campos Torres (ccampost)
Cc: ccielab@groupstudy.com
Subject: Re: Reflexive ACL vs Telnet established

Hi Carlos,

The "established" keyword in a router ACL is just checking for the TCP
ACK or RST bit set in the header:
"For the TCP protocol only: Indicates an established connection. A match
occurs if the TCP datagram has the ACK or RST bit set. The nonmatching
case is that of the initial TCP datagram to form a connection."

So, in theory, if someone was altering the header info - the packet
would pass through your ACL.

In contrast - the reflexive list is a sort-of-stateful-firewall-like
mechanism that only allows the return traffic it was originated by
matching your reflect statement. You can see these reflexive entries
with a "show access-list"

HTH

Ben

Carlos Campos Torres (ccampost) wrote:
> Hi all,
>
> Just wondering what the difference between allowing telnet in a
> reflexive ACL and just creating an access-list with the established
> keyword would be.
>
> Example: In Internetwork Experts Lab 5 Task 9.1 they ask to have
> telnet connectivity if a router started the connection
>
> Option 1)
>
> R2(config)#ip access-list extended INBOUND R2(config-ext-nacl)#permit
> tcp any eq telnet any established
>
> Option 2)
> R2(config)#ip access-list extended INBOUND
> R2(config-ext-nacl)#evaluate REFLECT
> R2(config)#ip access-list extended OUTBOUND R2(config-ext-nacl)#permit

> tcp any any eq telnet reflect REFLECT
>
> What would be the difference between doing it one way or the other?
>
> Any comments will be highly appreciated
>
> Thanks!
>
> Carlos Campos
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Elias Chari: "Re: Reflexive ACL vs Telnet established"
• Previous message: Ben: "Re: Reflexive ACL vs Telnet established"
• Maybe in reply to: Carlos Campos Torres \(ccampost\): "Reflexive ACL vs Telnet established"
• Next in thread: Elias Chari: "Re: Reflexive ACL vs Telnet established"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:32 ART