Reflexive Access Lists

Cisco IOS has statefull firewall features like reflexive access lists. By using this feature you can use your Cisco router as a second firewall (the choke point concept in Cisco firewall trainings) and increase your network security by layered approach.

You can use an access control list (ACL) for the filtering one way traffic but what about the responding packages. You have to add an incoming ACL but it should include only sessions started from internal. Reflexive ACLs helps us in this point.

Requirements
To use reflexive ACLs
1. You MUST use named access lists
2. You MUST add “reflect samplename” to the end of permit line.
3. You MUST create a second named access list and add “evaluate samplename” line for responding traffic.

Sample Scenario
In our example we have a proxy server (e.g. Microsoft ISA Server) with 122.22.22.1 IP address. This server needs access to internet via http (tcp 80) for web browsing and via dns (udp 53) for name resolution.

interface Serial0/0/0
description Internet connection
ip access-group INBOUND in
ip access-group OUTBOUND out
!
ip access-list extended OUTBOUND
permit tcp host 122.22.22.1 any reflect PROXYTCP
permit udp host 122.22.22.1 any eq domain reflect PROXYUDP
!
ip access-list extended INBOUND
evaluate PROXYTCP
evaluate PROXYUDP
!

We used reflect command to create reverse ACL and we added it to inbound ACL with evaluate command.

Last Words
This feature is really powerful tool to increase network security but you should not use it instead of a real firewall for Internet access. It should be used as another security layer.

Leave a Reply

Your email address will not be published. Required fields are marked *