Friday, November 22, 2013

Reflexive ACLs

Introduction:

By default, an ACL is not stateful. When an 'inside' client open a session to an 'outside' host you have to create 2 ACLs:
- Client to Server
- Server to Client
In our case, we would like open everything coming from the client side and going to the server side. We also deny each session coming from server side. With traditional ACLs it will be really difficult to realize this configuration. It's why, we will use reflexive ACLs. This kind of ACL record session open from the client side and open the necessary port and IP source for the traffic coming back from the specific server.

In our case, we are using a simple test infrastructure as can be seen in the following diagram:


The traffic coming from the client side and going to server side is authorized. Only the response to a session open by a client is authorized (handle dynamically by a recursive ACL). Any other traffic coming from the server side is denied.

Configuration:

In a first step, we create an ACL to reflect outgoing packets:

ip access-list extended OUTBOUND
  permit ip any any reflect MIRROR
!
interface FastEthernet0/1
  ip access-group OUTBOUND out

When the client initiates a session, a reflected ACL is created in MIRROR.
Router#show ip access-lists MIRROR
Reflexive IP access list MIRROR
  permit tcp host 10.1.3.10 eq telnet host 10.1.1.10 eq 27797 (27 matches) (time left 159)

In a second step, we create an ACL which uses the MIRROR entry to authorize the traffic.
ip access-list extended INBOUND
  evaluate MIRROR
!
interface FastEthernet0/1
  ip access-group INBOUND in
 
Results:

Connexion coming from the server side are denied:
SERVER#telnet 10.1.1.10
Trying 10.1.1.10 ...
% Destination unreachable; gateway or host down

Connexion coming from the client side are authorized:
client#telnet 10.1.3.10
 Trying 10.1.3.10 ... Open
 User Access Verification
 Password:
 SERVER>en
As you can see below, a 'reflexive' session is authorized from the server to the client:
Router#show ip access-lists
Extended IP access list INBOUND
  10 evaluate Mirror
Reflexive IP access list Mirror
  permit tcp host 10.1.3.10 eq telnet host 10.1.1.10 eq 27797 (27 matches) (time left 159)
Extended IP access list OUTBOUND
10 permit ip any any reflect Mirror (27 matches)
 
Remarks:
 
By default the timeout for a reflexive ACL is 300sec.


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)