Home > Cisco & Networking Related, Security > Securing Cisco Devices: Part II – Reflexive ACLs

Securing Cisco Devices: Part II – Reflexive ACLs

April 27th, 2009 Leave a comment Go to comments

Reflexive Access-Lists are adding kind of a stateful logic to your access-list. When using normal access-lists you have to be quite detailled, what you need to open e.g. for surfing the web:

reflacl1

In this example we would have to place a access-list like:

inACL:

ip access-list standard inACL
   permit tcp 192.168.1.0 0.0.0.255 any eq 80
   permit udp 192.168.1.0 0.0.0.255 any eq 53
   permit tcp 192.168.1.0 0.0.0.255 any eq 53
   deny ip any any

outACL:

ip access-list standard outACL
   permit tcp any eq 80 192.168.1.0 0.0.0.255
   permit udp any eq 53 192.168.1.0 0.0.0.255
   permit tcp any eq 53 192.168.1.0 0.0.0.255
   deny ip any any

Remark: I know that this list is not complete to surf the internet. But as an example it should be enough.

But we can easily replace this access-list when adding some stateful features to it…

Understanding reflexive access-lists

The cisco configuration guide is quite helpful to understand this feature.
Reflexive access lists are nothing else that defining criterias for outbound traffic and to allow that traffic on the way back are permitted. The router examines the outbound traffic and once it sees a new connection, the router is adding a temporary access-list entry to allow replies back in:

ip access-list extended outACL
   permit ip any any reflect MIRROR
!
ip access-list extended inACL
   evaluate MIRROR
!
interface GigabitEthernet2/0
   ip access-group outACL out
   ip access-group inACL in
!

reflacl2

Now, once the client is generating traffic, we can check the dynamic part by generating some traffic.

Router#show ip access-lists MIRROR
Reflexive IP access list Mirror
  permit tcp host 193.239.22.50 eq www host 192.168.1.100 eq 1234 (7 matches) (time left 294)

reflacl3

The timer is limited to 5 minutes (300 seconds). If additional traffic is passing matching an existing rule, the timer gets extended again to 5 minutes. If the router sees that the session is closed (either IFN or RST) the entry is removed from the access-list.

The timeout can be changed with the global ip reflexive-list timeout command.

Limitations of reflexive access-lists

Reflexive ACLs are not working with applications that use changing port-numbers during a TCP session. A good example is active FTP. If the port-number for a return packet is different that from the originating packet, the ACL will deny the packet.
If you want to have this working you would have to switch over to CBAC (Context Based Access-Lists) or use Passive FTP when originating requests from within your LAN.

  1. No comments yet.
  1. No trackbacks yet.