GlobalConfig.net header image 2

Super short Reflexive ACL tutorial

February 20th, 2008 · No Comments

Welcome back!

Okay today its reflexive ACLs.  Old School I know but its one of the CCIE Security possibile topics so we learn it anyhow.  Here is how it works.  First we configure an ACS


Rack1R1(config)#ip access-l extend OUTBOUND
Rack1R1(config-ext-nacl)#permit tcp any any reflect STATE_TABLE
Rack1R1(config-ext-nacl)#permit udp any any reflect STATE_TABLE
Rack1R1(config-ext-nacl)#permit icmp any any reflect STATE_TABLE
Rack1R1(config-ext-nacl)#exit
Rack1R1(config)#ip access-l ext INBOUND
Rack1R1(config-ext-nacl)#evaluate STATE_TABLE
Rack1R1(config-ext-nacl)#deny ip any any log
Rack1R1(config-ext-nacl)#int s0/0.12
Rack1R1(config-subif)#ip access-g OUTBOUND out
Rack1R1(config-subif)#ip access-g INBOUND out
Rack1R1(config-subif)#ip access-g INBOUND in
Rack1R1(config-subif)#ip access-g OUTBOUND out
Rack1R1(config-subif)#do sh access-l
Extended IP access list INBOUND
    10 evaluate STATE_TABLE
    20 deny ip any any log (1 match)
Extended IP access list OUTBOUND
    10 permit tcp any any reflect STATE_TABLE
    20 permit udp any any reflect STATE_TABLE
    30 permit icmp any any reflect STATE_TABLE
Reflexive IP access list STATE_TABLE
Rack1R1(config-subif)#

Now dont forget to allow you routing protocols….look what happened to OSPF…

*Mar  1 01:01:28.449: %SEC-6-IPACCESSLOGRP: list INBOUND denied ospf 150.1.12.2 -> 224.0.0.5, 1 packet

So we have to fix it…

Rack1R1(config-subif)#ip access-l ext INBOUND
Rack1R1(config-ext-nacl)#19 permit ospf any any
Rack1R1(config-ext-nacl)#
*Mar  1 01:01:58.434: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.2.2 on Serial0/0.12 from FULL to DOWN, Neighbor Down: Dead timer expired
Rack1R1(config-ext-nacl)#
*Mar  1 01:01:58.835: %SEC-6-IPACCESSLOGRP: list INBOUND denied ospf 150.1.12.2 -> 224.0.0.5, 3 packets
Rack1R1(config-ext-nacl)#
*Mar  1 01:02:03.406: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.2.2 on Serial0/0.12 from LOADING to FULL, Loading Done
Rack1R1(config-ext-nacl)#do sh access-l
Extended IP access list INBOUND
    10 evaluate STATE_TABLE
    19 permit ospf any any (8 matches)
    20 deny ip any any log (4 matches)
Extended IP access list OUTBOUND
    10 permit tcp any any reflect STATE_TABLE
    20 permit udp any any reflect STATE_TABLE
    30 permit icmp any any reflect STATE_TABLE
Reflexive IP access list STATE_TABLE
Rack1R1(config-ext-nacl)#

Ok so now that OSPF is back up lets test it…Jump over to another router that we can generate an outbound tcp session with.  This should create the reflected ACL…

Telnet should do the trick.

Rack1R4#telnet 150.1.3.3
Trying 150.1.3.3 … Open

User Access Verification

Password:
Rack1R3>

Now lets go see the reflected acl.

Rack1R1(config-ext-nacl)#do sh access-l
Extended IP access list INBOUND
    10 evaluate STATE_TABLE
    19 permit ospf any any (12 matches)
    20 deny ip any any log (4 matches)
Extended IP access list OUTBOUND
    10 permit tcp any any reflect STATE_TABLE
    20 permit udp any any reflect STATE_TABLE
    30 permit icmp any any reflect STATE_TABLE
Reflexive IP access list STATE_TABLE
    permit tcp host 150.1.3.3 eq telnet host 150.1.14.4 eq 11000 (27 matches) (time left 290)

Perfect…thats all there is to it.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Tags: CCIE Security

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment