Tip

Using reflexive access lists to allow traffic out but not in

Greg Ferro, Contributing Editor
Read about Greg

    Requires Free Membership to View

In last week's article, Cisco IOS reflexive access lists, I talked about the whys and wherefores of using reflexive access lists. Now that I've have covered the theory behind them, let's look some practical examples of using and debugging reflexive access lists. This week, I'll show you how to create a reflexive access list that allows "everything out, nothing in."

This is the simplest configuration. You want to allow everything that you initiate from the inside interface to be allowed to the Internet. But you don't want any traffic to be allowed in from the Internet. The diagram below will help you orient yourself.


The first thing to do is define our access lists:

magicwand#conf t
Enter configuration commands, one per line. End with CNTL/Z.

Create the access list for the inside interface for traffic flowing to the outside:

magicwand(config-ext-nacl)#ip access-list extended from-inside-to-outside

Allow all traffic out and create reflexive access list entry for traffic returning:

magicwand(config-ext-nacl)# permit ip any any reflect do-reflex

Create the access list for the outside interface for traffic destined for the inside:

magicwand(config)#ip access-list extended from-outside-to-inside

Check traffic against the reflexive access lists created by the "reflect" statement:

magicwand(config-ext-nacl)# evaluate do-reflex

Deny all traffic that doesn't match the reflexive access list:

magicwand(config-ext-nacl)# deny ip any any
magicwand(config-ext-nacl)# exit

And now, apply the access lists to their interfaces:

magicwand(config)# interface ethernet0
magicwand(config)# ip address 192.168.2.1 255.255.255.0
magicwand(config)# ip access-group from-outside-to-inside in
magicwand(config)# interface ethernet1
magicwand(config)# ip address 192.168.2.1 255.255.255.0
magicwand(config)# ip access-group from-inside-to-outside in
magicwand(config)# exit
magicwand#

You can also change some of the names to make it a little bit clearer:

magicwand(config-ext-nacl)#ip access-list extended from-workstation-to-outside
magicwand(config-ext-nacl)# permit ip any any reflect create-reflex-lists

The first line defines an extended access list named "from-workstation-to-outside." The second line permits any IP traffic from any IP address to any IP address. The extra switch "reflect do-reflex" enables the inspection of outbound packets.

magicwand(config)#ip access-list extended coming-back-to-you
magicwand(config-ext-nacl)# evaluate create-reflex-lists
magicwand(config-ext-nacl)# deny ip any any

Now we have defined the inbound access list and flicked the switch that turns on the reverse path for your IP traffic that went out with the "evaluate coming-back-to-you." Then we denied any traffic coming in from anywhere else.

Show commands prior to traffic flow
Now let's go to the console of my "magicwand" and check out the new access lists:

magicwand#sh access-lists
Reflexive IP access list do-reflex
Extended IP access list from-inside-to-outside
    permit ip any any reflect do-reflex
Extended IP access list from-outside-to-inside
    evaluate do-reflex
    deny ip any any
magicwand#

Show commands after traffic flow
Now I check out a Web page on my Web server:

magicwand#sh access-lists
Reflexive IP access list do-reflex
Reflexive IP access list do-reflex
    permit tcp host 192.168.1.42 eq www host 192.168.2.2 eq 3767 (10 matches) (time left 809794)
    permit tcp host 192.168.1.42 eq www host 192.168.2.2 eq 3766 (10 matches) (time left 809794)
    permit tcp host 192.168.1.42 eq www host 192.168.2.2 eq 3765 (10 matches) (time left 809794)
    Extended IP access list from-inside-to-outside
    permit ip any any reflect do-reflex
Extended IP access list from-outside-to-inside
    evaluate do-reflex
    deny ip any any
magicwand#

Now you can see that the reflexive access list has dynamically created an access list for traffic to come back through the outside interface. Let's look very carefully at this line:

permit tcp host 192.168.1.42 eq www host 192.168.2.2 eq 3669 (time left 812079)

This line will permit my Web server (192.168.1.42) return traffic from port 80 to my workstation (192.168.2.2) on port 3669. That is exactly what I want. It has been dynamically created and will expire at some time in the future (after the time left interval expires).

If we check the "show access lists" command a little bit later:

magicwand#sh access-list
Reflexive IP access list do-reflex
Extended IP access list from-inside-to-outside
    permit ip any any reflect do-reflex
    permit icmp any any
Extended IP access list from-outside-to-inside
    evaluate do-reflex
    deny ip any any (78 matches)
magicwand#

you can see that the reflexive lists have been removed because they timed out. Now you are completely secured against traffic from the outside. Note that we have no DNS traffic here because I used http://192.168.1.42 in my web browser. If you use a DNS name, you will also see a DNS server like the following:

Reflexive IP access list do-reflex
    permit tcp host 192.168.1.42 eq www host 192.168.2.2 eq 3767 (10 matches) (time left 809794)
    permit tcp host 192.168.1.42 eq www host 192.168.2.2 eq 3766 (10 matches) (time left 809794)
    permit tcp host 192.168.1.42 eq www host 192.168.2.2 eq 3765 (10 matches) (time left 809794)
    permit udp host 192.168.1.181 eq domain host 192.168.2.2 eq 1650 (2 matches) (time left 809794)
Extended IP access list from-inside-to-outside
    permit ip any any reflect do-reflex
    permit icmp any any
Extended IP access list from-outside-to-inside
    evaluate do-reflex
    deny ip any any

Next week, we'll address some of the problems that may crop up with this access list, and how to configure around them.

Did you miss Greg's first article on reflexive access list? Click to read it.

For more on access lists, check out our Router Expert articles.

Do you have questions for CCIE Greg Ferro, or other topics you'd like him to cover? E-mail us and let us know.

This was first published in February 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.