Friday, July 4, 2008

R.E.F.L.E.C.T

Here's the topology:

R1 --INSIDE--> R4 --OUTSIDE--> R5

We are going to apply a reflexive ACL on R4 to permit outgoing telnet, web and ping traffic.

Let's go to R4 and create our outbound ACL with the keyword "reflect" used to create our reflexive ACL.

R4(config)#ip access-list extended OUTBOUND
R4(config-ext-nacl)#permit tcp any any eq 23 reflect ?
WORD Access-list name
R4(config-ext-nacl)#permit tcp any any eq 23 reflect MIRROR
R4(config-ext-nacl)#permit tcp any any eq 80 reflect MIRROR
R4(config-ext-nacl)#permit icmp any any echo reflect MIRROR
R4(config-ext-nacl)#exit

Next we "evaluate" the reflexive ACL on our inbound ACL (note that I am doing OSPF between R4 and R5 and I don't want the adjacency to break).

R4(config)#ip access-list extended INBOUND
R4(config-ext-nacl)#evaluate MIRROR
R4(config-ext-nacl)#permit ospf any any
R4(config-ext-nacl)#deny ip any any log
R4(config-ext-nacl)#exit
R4(config)#

Apply these ACLs inbound and outbound on your outside interface, in my case S1/0:

R4(config)#int s1/0
R4(config-if)#ip access-group INBOUND in
R4(config-if)#ip access-group OUTBOUND out

Let's do some telnetting from R1 to R5

R1#telnet 155.1.5.5
Trying 155.1.5.5 ... Open

User Access Verification

Username: cisco

Flip over to R4 for Verification:

R4#show ip access-lists MIRROR
Reflexive IP access list MIRROR
permit tcp host 155.1.5.5 eq telnet host 155.1.4.4 eq 58347 (51 matches) (time left 298)
R4#

Let's examine the ACL MIRROR, The source is our telnet destination (the device we are telnetting to). This ACL is being used inbound on our outside interface to allow return traffic. Also I should note that R4 is doing NAT, with 155.1.4.4 being the translated address of R1's actual interface address (10.0.0.1). So you can see reflexive ACL's are very neat because they automatically allow for return traffic while we filter inbound and outbound.

1 comment:

  1. Nice One... With additional docs from google most of confusion is clear now.. being Linux/Unix guy.. has diff concept with SNAT, DNAT and masquerading...........

    ReplyDelete

Note: Only a member of this blog may post a comment.