Hi all,
i found it pretty weird - but reflexive access list on Cisco (12.1) work
only for outbound access-list. I have a Cisco with 3 interfaces - local
(Ethernet 0), dmz (Ethernet 1), isp (Serial 0). I use reflexive access lists
for my outbound connections from local to ISP - it works fine because
"reflect <LISTNAME>" is used for outbound acl and "evaluate <LISTNAME>" is
used for inbound acl. But what happens if i want to control with reflexive
lists access from local to dmz? This time connection from local to dmz will
be filtered by inbound acl, wouldn't? And otherwise, connection from dmz to
local would be in outbound acl, right? And this way reflexive acl on my
Ethernet0 (local) interface won't work. Example:
ip access-list extended DMZ-IMZ
evaluate REFLECTED-DMZ
deny ip <dmz-net> any log
permit ip any any
Above, i do not want anything from DMZ to local if it hasn't been created as
part of local->DMZ connection. Because i use NAT all the traffic between
local and ISP interfaces must go on (permit ip any any).
ip access-list extended IMZ-DMZ
permit icmp any <dmz-net> reflect REFLECTED-DMZ
permit tcp any <dmz-net> reflect REFLECTED-DMZ
permit udp any <dmz-net> reflect REFLECTED-DMZ
remark ALL OTHER TRAFFIC
permit ip any any
All the outbound traffic permitted with opening reflexive acl to DMZ.
Interface ethernet 0
. . .
ip access-group IMZ-DMZ in
ip access-group DMZ-IMZ out
This configuration would never work because all the packets from local to
dmz wouldn't be reflected - the would be permitted by last rule - "permit ip
any any".
I know i can put usual access lists with "established" - but after flexible
IPFilter on BSD it sounds horrible.
Any ideas?
Daniel Mester.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
