The key to making this work (reflexive ACLs on a router with more than 2 interfaces) is that:
- Every interface has a static ACL that creates a reflexive ACL.
- Every interface has a static ACL for inbound traffic that includes the previously created reflexive ACL.
So for your scenario where you have three interfaces local (192.168.1.1/24), DMZ (192.168.2.1/24), and ISP (1.1.1.1/30):
----- start snippet -----
! ---------------------------
! Access lists & reflexive access lists.
! - Apply an outbound ACL that defines reflexive ACLs
! for all traffic. Use one reflexive ACL for connection-oriented, one for
! connectionless; so that we can specifiy different timeouts.
! - Apply an inbound ACL that limits inboud traffic to only that
! which is allowed to *originate* sessions or connectionless queries.
! End with a reference to the reflexive ACL created by outbound
! traffic.
! Applying this pair of ACLs to all interfaces means that you are
! allowing all of the inbound sessions & connectionless queries that
! you specifically want, plus are allowing replies to all sessions &
! connectionless queries that went out this interface previously.
!
! Also allows all traffic originating on the router/firewall to go out,
! and replies to that traffic allowed back in (via reflexive ACLs).
! ---------------------------
!
! default reflexive ACL settings; set stateful timeout to 60 mins
ip reflexive-list timeout 3600
!
!! Local (internal) Networks: Outgoing ACL that creates reflexive ACL for
!! inbound traffic.
ip access-list extended local-out
!
! connectionless traffic; add lines for each connectionless protocol that
! you deal with and want a timeout separate from session oriented traffic;
! 5 min timeout
permit icmp any any reflect local-in-rflx-connectionless timeout 300
permit udp any any reflect local-in-rflx-connectionless timeout 300
! session traffic; everything else; 60 min timeout
permit ip any any reflect local-in-rflx-connection timeout 3600
!
!! Local (internal) Networks: Incoming ACL, including check against
!! reflexive ACL
ip access-list extended local-in
!
! evaluate the reflexive ACLs created for traffic outbound from interface
evaluate local-in-rflx-connectionless
evaluate local-in-rflx-connection
!
! allow internal users out for 'web' traffic
permit tcp 192.168.1.0 0.0.0.255 any eq 80
permit tcp 192.168.1.0 0.0.0.255 any eq 443
!
deny ip any any
!
!
!! DMZ: Outgoing ACL that creates reflexive ACL for inbound traffic.
ip access-list extended dmz-out
!
! connectionless traffic; add lines for each connectionless protocol that
! you deal with and want a timeout separate from session oriented traffic;
! 5 min timeout
permit icmp any any reflect dmz-in-rflx-connectionless timeout 300
permit udp any any reflect dmz-in-rflx-connectionless timeout 300
! session traffic; everything else; 60 min timeout
permit ip any any reflect dmz-in-rflx-connection timeout 3600
!
!! DMZ: Incoming ACL, including check against reflexive ACL
ip access-list extended dmz-in
!
! evaluate the reflexive ACLs created for traffic outbound from interface
evaluate dmz-in-rflx-connectionless
evaluate dmz-in-rflx-connection
!
! generally speaking, don't allow anything to be initiated from the DMZ
! without good reason
!
deny ip any any
!
!! ISP: Outgoing ACL that creates reflexive ACL for inbound traffic.
ip access-list extended local-out
!
! connectionless traffic; add lines for each connectionless protocol that
! you deal with and want a timeout separate from session oriented traffic;
! 5 min timeout
permit icmp any any reflect isp-in-rflx-connectionless timeout 300
permit udp any any reflect isp-in-rflx-connectionless timeout 300
! session traffic; everything else; 60 min timeout
permit ip any any reflect isp-in-rflx-connection timeout 3600
!
!! ISP: Incoming ACL, including check against reflexive ACL
ip access-list extended isp-in
!
! evaluate the reflexive ACLs created for traffic outbound from interface
evaluate isp-in-rflx-connectionless
evaluate isp-in-rflx-connection
!
! allow the Internet to get to specific hosts on your DMZ on specific ports
permit ip any host 192.168.2.20 80
permit ip any host 192.168.2.20 443
!
deny ip any any
!
!! Interface configuration
!
int E0
desc Local (internal) networks
ip address 192.168.1.1 255.255.255.0
ip access-group local-in in
ip access-group local-out out
!
int E1
desc DMZ
ip address 192.168.2.1 255.255.255.0
ip access-group dmz-in in
ip access-group dmz-out out
!
int S0
desc ISP
ip address 1.1.1.1 255.255.255.252
ip access-group isp-in in
ip access-group isp-out out
----- end snippet -----
The config snippet is relevant only to reflexive ACLS. I left out lines you'd want to include in a real-world environment such as anti-spoofing/land-attack, extra ACL lines to make sure your DMZ is isolated where necessary, etc in the ACLs; disabling transport inputs on VTYs, SNMP config, etc.
So, some sample traffic...
192.168.1.50 (internal user) initiates HTTP to 192.168.2.20 (DMZ web server):
1) 192.168.1.50 -> 192.168.2.20 allowed by local-in on interface E0 (local)
2) 192.168.1.50 -> 192.168.2.20 allowed by dmz-out on interface E1 (DMZ). Line added to reflexive ACL dmz-out-connection.
3) 192.168.1.50 <- 192.168.2.20 allowed by dmz-in on interface E1 (DMZ) by virtue of referenced reflexive ACL dmz-out-connection.
4) 192.168.1.50 <- 192.168.2.20 allowed by local-out on interface E0 (local). Line added to reflexive ACL local-out-connection.
5) ... and so on ... Note that the reflexive ACL does not continue to grow on each subsequent exchange, as the router is smart enough to not add a line that already exists; the expiratin time (current time + timeout) is updated instead. And yes you do end up with a line in the local-out-connection reflexive ACL that is somewhat extraneous; this is a trade-off, and at least traffic for already existing conversations (I'm avoiding the word session since this is for session and connection-oriented traffic) is accepted immediately (at the top of the local-in ACL) when the reflexive ACL is evaulated instead of having to go through the rest of the ACL to match on the line that allowed the initial packet that started the conversation.
5.5.5.5 (Internet user) initiates HTTP to 192.168.2.20 (DMZ web server):
1) 5.5.5.5 -> 192.168.2.20 allowed by isp-in on interface S0 (ISP)
2) 5.5.5.5 -> 192.168.2.20 allowed by dmz-out on interface E1 (DMZ). Line added to reflexive ACL dmz-out-connection.
3) 5.5.5.5 <- 192.168.2.20 allowed by dmz-in on interface E1 (DMZ) by virtue of referenced reflexive ACL dmz-out-connection.
4) 5.5.5.5 <- 192.168.2.20 allowed by isp-out on interface S0 (ISP). Line added to reflexive ACL isp-out-connection.
5) ... and so on ...
User consoled on the firewall ping tests to 192.168.1.50 (internal user):
1) 192.168.1.1 -> 192.168.1.50 allowed by local-out on interface E0 (local). Line added to reflexive ACL local-in-connectionless.
2) 192.168.1.1 <- 192.168.1.50 allowed by local-in on interface E0 (local) by virtue of referenced reflexive ACL local-out-connectionless.
Make sense?
Greg S.
-----Original Message-----
From: Daniel Mester [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 11, 2001 8:17 AM
To: [EMAIL PROTECTED]
Subject: Reflexive access lists
Hi all,
i found it pretty weird - but reflexive access list on Cisco (12.1) work
only for outbound access-list. I have a Cisco with 3 interfaces - local
(Ethernet 0), dmz (Ethernet 1), isp (Serial 0). I use reflexive access lists
for my outbound connections from local to ISP - it works fine because
"reflect <LISTNAME>" is used for outbound acl and "evaluate <LISTNAME>" is
used for inbound acl. But what happens if i want to control with reflexive
lists access from local to dmz? This time connection from local to dmz will
be filtered by inbound acl, wouldn't? And otherwise, connection from dmz to
local would be in outbound acl, right? And this way reflexive acl on my
Ethernet0 (local) interface won't work. Example:
ip access-list extended DMZ-IMZ
evaluate REFLECTED-DMZ
deny ip <dmz-net> any log
permit ip any any
Above, i do not want anything from DMZ to local if it hasn't been created as
part of local->DMZ connection. Because i use NAT all the traffic between
local and ISP interfaces must go on (permit ip any any).
ip access-list extended IMZ-DMZ
permit icmp any <dmz-net> reflect REFLECTED-DMZ
permit tcp any <dmz-net> reflect REFLECTED-DMZ
permit udp any <dmz-net> reflect REFLECTED-DMZ
remark ALL OTHER TRAFFIC
permit ip any any
All the outbound traffic permitted with opening reflexive acl to DMZ.
Interface ethernet 0
. . .
ip access-group IMZ-DMZ in
ip access-group DMZ-IMZ out
This configuration would never work because all the packets from local to
dmz wouldn't be reflected - the would be permitted by last rule - "permit ip
any any".
I know i can put usual access lists with "established" - but after flexible
IPFilter on BSD it sounds horrible.
Any ideas?
Daniel Mester.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
