Blocking outbound traffic with reflexive access lists

Greg Ferro, Contributing Editor
Read about Greg

    Requires Free Membership to View

In last week's article, I talked about using Using reflexive access lists to allow traffic out but not in. There are times, however, when you want to block certain traffic from going outbound. So let's look at the various scenarios. My evil twin, Dr. Network, has popped his ugly head in the door and told me that he wants to block all SSH traffic from going outbound so that the new contractor can't access his e-mail over the Internet. So I get out my "magicwand" and...

The above diagram shows what we want to achieve. If I do a test SSH, my "show access-list" looks something like this:

magicwand#sh access-list
Reflexive IP access list do-reflex
      permit tcp host eq 22 host eq 1192 (35 matches) (time left 817272)
Extended IP access list from-inside-to-outside
      permit ip any any reflect do-reflex
      permit icmp any any
Extended IP access list from-outside-to-inside
      evaluate do-reflex
      deny ip any any (265 matches)

The Reflexive access list shows the return access list for the SSH session to return back through the outside interface.

Here is my router config before I start:

interface Ethernet0
  ip address
  ip access-group from-outside-to-inside in
interface Ethernet1
  ip address
  ip access-group from-inside-to-outside in
ip access-list extended from-inside-to-outside
  permit ip any any reflect do-reflex
  permit icmp any any
ip access-list extended from-outside-to-inside
  evaluate do-reflex
  deny   ip any any

In this case, we need to block any traffic destined for port 22 (SSH TCP port number). So I change my access list to:

magicwand#conf t
Enter configuration commands, one per line. End with CNTL/Z.
magicwand(config)#no ip access-list extended from-inside-to-outside
magicwand(config)#ip access-list extended from-inside-to-outside
magicwand(config-ext-nacl)#deny tcp any any eq 22 log
magicwand(config-ext-nacl)# permit ip any any reflect do-reflex
magicwand(config-ext-nacl)# permit icmp any any

I know the Dr Network loves to gloat when he performs minor evil, so I put the "log" command on the end. And then when I try to SSH to my home server, I receive the following:

01:17:04: %SEC-6-IPACCESSLOGP: list from-inside-to-outside denied tcp ->, 1 packet
01:17:21: %SEC-6-IPACCESSLOGP: list from-inside-to-outside denied tcp ->, 1 packet

Oh well, I am sure that Dr Network will be happy. He just loves tormenting contractors...

Did you miss Greg's first two articles on reflexive access list? Read them here:
>>Cisco IOS reflexive access lists
>>Using reflexive access lists to allow traffic out but not in

For more on access lists, check out our Router Expert articles.

Do you have questions for CCIE Greg Ferro, or other topics you'd like him to cover? E-mail us and let us know.

This was first published in March 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.