Securing Cisco Devices: Part II – Reflexive ACLs
Reflexive Access-Lists are adding kind of a stateful logic to your access-list. When using normal access-lists you have to be quite detailled, what you need to open e.g. for surfing the web:
In this example we would have to place a access-list like:
inACL:
ip access-list standard inACL permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit udp 192.168.1.0 0.0.0.255 any eq 53 permit tcp 192.168.1.0 0.0.0.255 any eq 53 deny ip any any
outACL:
ip access-list standard outACL permit tcp any eq 80 192.168.1.0 0.0.0.255 permit udp any eq 53 192.168.1.0 0.0.0.255 permit tcp any eq 53 192.168.1.0 0.0.0.255 deny ip any any
Remark: I know that this list is not complete to surf the internet. But as an example it should be enough.
But we can easily replace this access-list when adding some stateful features to it…
Understanding reflexive access-lists
The cisco configuration guide is quite helpful to understand this feature.
Reflexive access lists are nothing else that defining criterias for outbound traffic and to allow that traffic on the way back are permitted. The router examines the outbound traffic and once it sees a new connection, the router is adding a temporary access-list entry to allow replies back in:
ip access-list extended outACL permit ip any any reflect MIRROR ! ip access-list extended inACL evaluate MIRROR ! interface GigabitEthernet2/0 ip access-group outACL out ip access-group inACL in !
Now, once the client is generating traffic, we can check the dynamic part by generating some traffic.
Router#show ip access-lists MIRROR Reflexive IP access list Mirror permit tcp host 193.239.22.50 eq www host 192.168.1.100 eq 1234 (7 matches) (time left 294)
The timer is limited to 5 minutes (300 seconds). If additional traffic is passing matching an existing rule, the timer gets extended again to 5 minutes. If the router sees that the session is closed (either IFN or RST) the entry is removed from the access-list.
The timeout can be changed with the global ip reflexive-list timeout command.
Limitations of reflexive access-lists
Reflexive ACLs are not working with applications that use changing port-numbers during a TCP session. A good example is active FTP. If the port-number for a return packet is different that from the originating packet, the ACL will deny the packet.
If you want to have this working you would have to switch over to CBAC (Context Based Access-Lists) or use Passive FTP when originating requests from within your LAN.