09 August 2011

Cisco Reflexive Access Lists

Cisco reflexive acls is a poor mans stateful firewall. If you don't have the luxury of the Advanced Security feature-set, then configuring these are your best bet.

Take the above simple example. A name server behind your router is doing a recursive lookup to another name server. By looking at that, you need to allow UDP port 53 in interface e0, as well as the return traffic on port 2033. Unfortunately that port is dynamic, so you could either allow any udp traffic in e0, or use reflexive ACLs.

ip access-list extended inbound
permit icmp any any
evaluate mytraffic

ip access-list extended outbound
permit udp any any reflect mytraffic

interface e0
ip access-group inbound in
ip access-group outbound out

--------
verification...

show access-list mytraffic
 permit udp host 111.111.111.111 eq 53 host 192.168.1.100 eq 2033(1 match) (time left 299)
     



No comments:

Post a Comment