Reflexive access control lists filter IP packets using upper-layer session information. Reflexive access lists allow IP traffic from inside your network but block IP traffic from outside. Reflexive session filtering does this.
Access-list (ACL) is a set of rules for regulating network traffic and preventing network attacks. ACLs filter traffic based on a predefined set of rules for the network’s incoming and outgoing traffic.
ACL features
- The defined rules are matched sequentially, beginning with the first line, then the second, and so on.
- The packets are only matched if they match the rule. Once a rule is matched, no additional comparisons are performed, and that rule is executed.
- Every ACL concludes with an implicit denial, meaning that the packet is discarded if no condition or rule is met.
Direction of ACL
Once the access list has been created, it must be applied to the interface’s inbound or outbound traffic:
- Inbound access lists – When an access list is applied to the interface’s inbound packets, the packets are first processed based on the access list and then routed to the outbound interface.
- Outbound access lists – When an access list is applied to the interface’s outbound packets, the packet is first routed and then processed at the outbound interface.
Reflexive Access Lists
Reflexive access lists are extended access lists that let two access lists work together dynamically. When the outbound access list detects a connection to a remote site, the inbound access list is opened to allow two-way communication. Once this two-way session is over, the remote site’s access to the inbound access list is closed again. These are the things that make up a reflexive access list:
- The end of the reflexive access control list doesn’t include any implied “deny any” statements.
- A recursive access list entry is always a permit entry.
- When using reflexive access lists, you use named access lists in pairs that relate to each other.
- The inbound interface access list changes dynamically based on sessions started inside the network.
These dynamic changes are made and removed as sessions are started and ended from hosts on the internal network or after a certain amount of time without activity. TCP uses the FIN or RST bit. The timeout is used in UDP connections or when a TCP session isn’t properly ended.
- Reflexive access lists can support both TCP and UDP sessions.
- Reflexive access lists are made within extended access lists and are not put on an interface directly.
- Reflexive access lists provide more security than extended access lists, especially regarding spoofing addresses and some DoS attacks.
- Reflexive access lists are named access lists that let two access lists work together dynamically to create Layer 4 session-based filtering.
Reflexive access lists are similar to dynamic access lists in that they both open paths through the router based on what a user needs at a given time. Once the application that started them has ended, these pathways are closed. With reflexive access lists, users don’t have to start a Telnet session to verify their identity on the router. This lets a transparent operation happen, where the user doesn’t even know that an access list controls availability. Also, reflexive access lists are much easier with mass-produced and system-based software because no extra steps are needed to give more access.
When setting up recursive access lists, you must make two access lists: one for packets coming in and one for packets going out. Let’s do a lab to understand this in action.
Initial Configurations
!
hostname PC-1
!
enable secret 5 $1$linM$Iz2Erv0h9LX9pZy/8FEJy.
!
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
!
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
hostname INTRA-NET
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
!
ip http server
!
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
!
hostname IOS-FW
!
interface Ethernet0/0
ip address 99.1.1.254 255.255.255.0
duplex auto
!
interface Ethernet0/1
ip address 10.1.1.254 255.255.255.0
duplex auto
!
IP routing
!
hostname WEB-SERVER-1
!
multilink bundle-name authenticated
!
interface Ethernet0/0
ip address 99.1.1.1 255.255.255.0
duplex auto
!
ip http server
!
ip route 0.0.0.0 0.0.0.0 99.1.1.254
!
!
hostname PC-02
!
enable secret 5 $1$5ypE$mIi4DR69VddLm8MygMmCK0
!
interface Ethernet0/0
ip address 99.1.1.2 255.255.255.0
duplex auto
!
ip route 0.0.0.0 0.0.0.0 99.1.1.254
Once the initial configuration is is added to the devices, we can reach the outside from the inside.
PC-1#ping 99.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 99.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/8 ms PC-1#telnet 99.1.1.1 80 Trying 99.1.1.1, 80 ... Open
We can see reachability, so let’s try it the opposite way.
PC-02#ping 10.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms PC-02#telnet 10.1.1.1 80 Trying 10.1.1.1, 80 ... Open
Evidently, we can access the resource from both sides, so let’s configure IOS-FW with a reflexive ACL.
There are three steps involved in creating the reflective ACL.
- Create an ACL for outbound direction to record and reflect the outgoing connections.
- Create an ACL for inbound direction, referring to the first ACL. Note that entries in this ACL will be dynamically placed.
- Apply both ACLs on an appropriate interface.
! In IOS-FW router ! ! Step 1 ! ip access-list extended OUTBOUND permit tcp any any reflect TCP-R-ACL permit icmp any any reflect ICMP-R-ACL deny ip any any log ! ! Step 2 ! ip access-list extended INBOUND evaluate TCP-R-ACL evaluate ICMP-R-ACL ! ! Step 3 ! interface Ethernet0/0 ip access-group INBOUND in ip access-group OUTBOUND out !
Let’s see what ACLs we created in IOS-FW
IOS-FW#show access-lists
Reflexive IP access list ICMP-R-ACL
Extended IP access list INBOUND
10 evaluate TCP-R-ACL
20 evaluate ICMP-R-ACL
Extended IP access list OUTBOUND
10 permit tcp any any reflect TCP-R-ACL
20 permit icmp any any reflect ICMP-R-ACL
30 deny ip any any log
Reflexive IP access list TCP-R-ACL
IOS-FW#
Now it’s time to validate the reflexive ACL we created. try to ping, telnet port 80 to the outside from the inside.
PC-1#ping 99.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 99.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms PC-1# PC-1#telnet 99.1.1.1 80 Trying 99.1.1.1, 80 ... Open
Both were successful. See the magic? If you look in the access list again, you’ll notice a new entry in the reflexive access list, which is exactly opposite to the traffic that originated from inside to outside.
permit icmp host 99.1.1.2 host 10.1.1.2
permit tcp host 99.1.1.1 eq www host 10.1.1.2 eq 36802
IOS-FW#show access-lists
Reflexive IP access list ICMP-R-ACL
permit icmp host 99.1.1.2 host 10.1.1.2 (10 matches) (time left 275)
Extended IP access list INBOUND
10 evaluate TCP-R-ACL
20 evaluate ICMP-R-ACL
Extended IP access list OUTBOUND
10 permit tcp any any reflect TCP-R-ACL
20 permit icmp any any reflect ICMP-R-ACL (6 matches)
30 deny ip any any log
Reflexive IP access list TCP-R-ACL
IOS-FW#show access-lists
Reflexive IP access list ICMP-R-ACL
permit icmp host 99.1.1.2 host 10.1.1.2 (10 matches) (time left 136)
Extended IP access list INBOUND
10 evaluate TCP-R-ACL
20 evaluate ICMP-R-ACL
Extended IP access list OUTBOUND
10 permit tcp any any reflect TCP-R-ACL (15 matches)
20 permit icmp any any reflect ICMP-R-ACL (6 matches)
30 deny ip any any log
Reflexive IP access list TCP-R-ACL
permit tcp host 99.1.1.1 eq www host 10.1.1.2 eq 36802 (5 matches) (time left 297)
What will happen if we try to reach from outside to the inside resources? From PC-02 try to reach the internal resources.
PC-02#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) PC-02#telnet 10.1.1.1 80 Trying 10.1.1.1, 80 ... % Destination unreachable; gateway or host down PC-02#ping 10.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) PC-02#
Did you observe that the newly created dynamic entry contains a time component?
permit icmp host 99.1.1.2 host 10.1.1.2 (10 matches) (time left 136)
Reflexive access list entries expire at session end. TCP sessions are removed 5 seconds after two set FIN bits or immediately after matching a TCP packet with the RST bit set. The 5-second window lets a session gracefully end after two set FIN bits. RST indicates an abrupt session close. After a configurable time without session packets, the temporary entry is removed (the timeout period).
UDP and other protocols end sessions differently than TCP. Other protocols are connectionless, so packets don’t contain session tracking information. Thus, a session ends when no packets are detected for a configurable time (the timeout period).
Setting a timeout value
Reflexive access list entries expire after a “timeout” period without session packets. Reflexive access lists can be defined with a timeout. Reflexive access lists will use the global timeout if you don’t specify one.
If you want to set time out value of 30sec for the TCP sessions
permit tcp any any ref TCP-R-ACL timeout 30
Default global timeout is 300 seconds. But you can always change the global timeout.
In global configuration mode, type:
Router(config)# ip reflexive-list timeout 120
This global command will set the timeout value to 120sec.
You can read about the dynamic access list here
