Re: Reflexive ACL vs Telnet established

From: Elias Chari (elias.chari@gmail.com)
Date: Wed Jun 07 2006 - 16:12:36 ART

• Next message: Schulz, Dave: "RE: Netflow and IP Traffic Export"
• Previous message: Carlos Campos Torres \(ccampost\): "RE: Reflexive ACL vs Telnet established"
• Maybe in reply to: Carlos Campos Torres \(ccampost\): "Reflexive ACL vs Telnet established"
• Next in thread: Navin MS: "Re: Reflexive ACL vs Telnet established"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Carlos,

If the traffic is originated by the router, it will not be reflected,
therefore the return traffic will be dropped. You need to allow it
explicitely in.

Rgds
Elias

On 6/7/06, Carlos Campos Torres (ccampost) <ccampost@cisco.com> wrote:
>
> Yup, I was reading on that and I totally agree, just wondering if I had
> something like that for exam purposes if the result would be the same (I
> think it would at the end, one more secure than the other though).
>
> Thanks Ben and Savjani for replying,
>
> Carlos Campos CCNP, CCDP
> Associate Systems Engineer
> Cisco Systems, Inc
> (919) 392-6285
>
>
>
> -----Original Message-----
> From: Ben [mailto:ccieben@cox.net]
> Sent: Wednesday, June 07, 2006 3:00 PM
> To: Carlos Campos Torres (ccampost)
> Cc: ccielab@groupstudy.com
> Subject: Re: Reflexive ACL vs Telnet established
>
> Hi Carlos,
>
> The "established" keyword in a router ACL is just checking for the TCP
> ACK or RST bit set in the header:
> "For the TCP protocol only: Indicates an established connection. A match
> occurs if the TCP datagram has the ACK or RST bit set. The nonmatching
> case is that of the initial TCP datagram to form a connection."
>
> So, in theory, if someone was altering the header info - the packet
> would pass through your ACL.
>
> In contrast - the reflexive list is a sort-of-stateful-firewall-like
> mechanism that only allows the return traffic it was originated by
> matching your reflect statement. You can see these reflexive entries
> with a "show access-list"
>
> HTH
>
> Ben
>
>
> Carlos Campos Torres (ccampost) wrote:
> > Hi all,
> >
> > Just wondering what the difference between allowing telnet in a
> > reflexive ACL and just creating an access-list with the established
> > keyword would be.
> >
> > Example: In Internetwork Experts Lab 5 Task 9.1 they ask to have
> > telnet connectivity if a router started the connection
> >
> > Option 1)
> >
> > R2(config)#ip access-list extended INBOUND R2(config-ext-nacl)#permit
> > tcp any eq telnet any established
> >
> > Option 2)
> > R2(config)#ip access-list extended INBOUND
> > R2(config-ext-nacl)#evaluate REFLECT
> > R2(config)#ip access-list extended OUTBOUND R2(config-ext-nacl)#permit
>
> > tcp any any eq telnet reflect REFLECT
> >
> > What would be the difference between doing it one way or the other?
> >
> > Any comments will be highly appreciated
> >
> > Thanks!
> >
> > Carlos Campos
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Schulz, Dave: "RE: Netflow and IP Traffic Export"
• Previous message: Carlos Campos Torres \(ccampost\): "RE: Reflexive ACL vs Telnet established"
• Maybe in reply to: Carlos Campos Torres \(ccampost\): "Reflexive ACL vs Telnet established"
• Next in thread: Navin MS: "Re: Reflexive ACL vs Telnet established"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:32 ART