Reflexive Access Lists

Written on by admin on. Posted in ACLs

This article describes what Reflexive Access Lists are, how they work, and how to configure Reflexive ACLs on Cisco routers in GNS3. Reflexive Access Lists are used to allow IP traffic for sessions that originates from inside the network, and deny IP traffic that originates from outside the network.

They seem to be somehow similar to Standard or Extended ACLs that use established keyword to filter traffic based on session, but actually are different. By using established keyword you can filter only TCP sessions but with Reflexive Access Lists you can filter TCP sessions, UDP, ICMP and so on.

Reflexive ACLs should be configured on border routers, that separates internal network from external.

You can apply Reflexive ACL on an internal or external interface, depending on your network requirements.

How an Reflexive Access List works

When an IP upper layer session (for example ICMP, TCP, UDP) is started from inside the network to outside the network, Reflexive Access List generates a temporary entry that will allow traffic (that is part of current initiated session) coming from outside to get in. The temporary added entry will be removed after the last packet of the session comes in or when a configured timeout timer expires. Reflexive ACLs can’t be applied directly on interface, they are “nested” in an Extended Named ACL that is applied to interface.

Reflexive Access Lists can be attached only to Extended Named IP ACLs.

To show how Reflexive ACLs on Cisco routers work, will take following example.

Reflexive ACL

In the image you see Local router which is part of internal network, Border router that separates internal and external network, and Remote router that is part of external network. Reflexive ACL will be configured on Border router and applied to fa 0/1 interface. I have preconfigured interfaces according to topology and a default route added on Local and Remote router to send all unknown traffic to Border router. A ping test between Local and Border router see below.

Local

Local#ping 192.168.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/42/88 ms
Local#

Remote

Remote#ping 10.0.0.2           

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/45/112 ms
Remote#

At this point we can ping Remote from Local and vice versa. After we apply Reflexive Access List on Border router, the only successful ping should be from Local to Remote router. Let’s configure it.

Border

ip access-list extended OUTFILTER
 permit icmp any any reflect ICMPFILTER timeout 300

interface FastEthernet0/1
 ip access-group OUTFILTER out

Configuration of ACL is done in global configuration mode. This ACL analyze traffic that goes from inside to outside the network. The entry “permit icmp any any reflect ICMPFILTER timeout 300” will add an temporary Reflexive Access List entry when it is matched (The Reflexive ACL name in this case will be ICMPFILTER), and will be removed when all packets of this session are returned or when timeout timer expires (300 seconds in this case). This ACL is applied as outbound. For packets coming from outside, an inbound ACL will be applied, that will evaluate packets against temporary entry.

ip access-list extended INFILTER
 evaluate ICMPFILTER

interface FastEthernet0/1
 ip access-group INFILTER in

As I said, second ACL is applied as inbound and evaluates packets according to temporary generated Reflexive ACL’s entry. Before any packets are send from inside to outside our ACLs will look like this:

Border#show ip access-lists 
Reflexive IP access list ICMPFILTER
Extended IP access list INFILTER
    10 evaluate ICMPFILTER
Extended IP access list OUTFILTER
    10 permit icmp any any reflect ICMPFILTER
Border#

At this point, temporary entry is not added in the Reflexive IP access list. After a ping from Local to Remote router a session will be initiated and a temporary entry will be added, see below:

Local#ping 192.168.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/36/68 ms
Border#show ip access-lists 
Reflexive IP access list ICMPFILTER
     permit icmp host 192.168.0.2 host 10.0.0.2  (10 matches) (time left 297)
Extended IP access list INFILTER
    10 evaluate ICMPFILTER
Extended IP access list OUTFILTER
    10 permit icmp any any reflect ICMPFILTER (6 matches)

Now you can see temporary generated entry, which is highlighted with red. One more thing we should do is to check if sessions initiated from outside are denied. We can check this with a ping from Remote to Local, it should be unsuccessful.

Remote#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

The results are as expected. For protocols such as ICMP or UDP (which are connectionless protocols) the temporary entry is removed when timeout timer expires, but for TCP ( which is connection oriented protocol and keeps track of session state), temporary entry is removed after TCP session ends.

Use Reflexive Access List in your network on external or internal interfaces, upon your network requirements. That’s all for this lab, browse our site for more interesting articles!
9248 views

Comments (1)

  • Rubén González

    |

    Lo mejor que he visto y bien explicado en la red.

    This is the best explained I’ve ever seen

    Reply

Leave a comment


− two = 7