Reflexive access lists


 

 

 

 

 

Introduction to this web page

This page contains sample extended named lists set up to do reflexive filtering - this is the Cisco version of stateful packet filtering. Reflexive access lists can only be used on top of extended named access lists. This sample set also uses "remark" as a way of adding comments to the list.

This list isn`t really complete, as it doesn`t allow any routing protocol into either interface. It also doesn`t have any information about other configuration settings of the router.

It isn`t a script as such, because it also shows the relevant prompt.

The list is based on the following network arrangement :-

 

Reflexive access lists

The essence of a reflexive access list is that when a packet is sent out from the secure subnet to the outside world, a record is made of that packet in the reflexive access list - this record is dynamic - it only lives for a short time, and is then deleted.

When an incoming packet arrives at the router, its source address, destination address, port numbers, and protocol, are compared to the records in the reflexive access list, and if it is found that the incoming packet is part of a connection already set up, then the packet is allowed through the router and into the secure subnet.

The reflexive access list is initially set up by a command line of the form

     permit protocol any any reflect name 

inserted into an extended named access list which examines packets leaving our secure subnet. Initially the reflexive access list is empty.

There is also a line of the form

     evaluate name 

inserted into another extended named access list which is attached to an interface so that all packets coming in to the secure subnet are applied to this access list.

When a packet arrives from the secure subnet heading for the outside world, and it matches the specification within the "permit ... reflect" command line, a record is made of the packet, and the packet is passed on through the access list, and out to the outside world.

But this rule stops us doing any other form of filtering on this packet - once it has passed on, no other subsequent "permit" rules in the extended named access list are applied.

So we can`t do any port blocking through this extended named access list, all packets with the correct protocol will be passed on by the "permit ... reflect" rule. If the "permit ... reflect" rule is before the port blocking rules, then all packets with the correct protocol will be passed on, before the port blocking rules ever get to see them.

And if we put the port blocking rules before the rule containing the reflect keyword, then the outgoing packets with the allowed ports will get matched and passed on by the port rules, before the reflexive rule sees them. The only packets that the reflexive rule will see are packets which have ports which have not been permitted to pass by the port blocking rules, and so are ports which we are trying to block, and the reflexive rule will pass them.

It is a pity that Cisco don`t seem to allow the same kind of layering that iptables in Linux allows - in iptables in Linux, rule sets can be bundled in layers, so that packets are passed through layers of sets of rules. Each set of rules can do a completely different kind of filtering from the next layer, so that with iptables we can have a port filtering set of rules, followed by a stateful packet filtering set of rules.

But back to Cisco - there is a workaround with Cisco - we can apply two access lists to each interface - one for inbound, and one for outbound. So we can have two access lists on one interface that do port filtering or address filtering, and another two access lists on the other interface that do the reflexive packet filtering.

We can do this with our network configuration, as there are only two interfaces on the router. If there are three or more interfaces on a router, then this technique may not be useable.

So we are going to use the following setup :-

Access list "e0-out" is used to set up the reflexive access lists, in this case, we are going to set up three reflexive access lists, one each for TCP, UDP, and ICMP.

Access list "e0-in" is used to compare the incoming packets to the reflexive access-list entries.

Access list "e1-in" is used to do port and spoofed ip address blocking on the packets coming from the secure subnet.

Access list "e1-out" is used to do port blocking on packets coming in from the outside world. It is questionable whether there is any need for this list.

 

Configuring the access lists

 


router>	                        enable
router#                         config t
!
router(config)#             ! Remove the previous version of the access list
!
router(config)#                 no ip access-list e0-out
!
router(config)#             ! Set up the new version of the access list
!
router(config)#                 ip access-list extended e0-out
!
!
router(config-ext-nacl)#    remark **This list is for packets originating on the secure
router(config-ext-nacl)#    remark   subnet, heading for the outside world.**
!
router(config-ext-nacl)#    remark **This list is used to set up the reflexive 
router(config-ext-nacl)#    remark   access lists.**
!
router(config-ext-nacl)#        permit tcp any any reflect reflex-tcp timeout 120
router(config-ext-nacl)#        permit udp any any reflect reflex-udp timeout 120
router(config-ext-nacl)#        permit icmp any any reflect reflex-icmp timeout 120
!
!
router(config-ext-nacl)#        exit
!
!
router(config)#             ! Remove the previous version of the access list
!
router(config)#                 no ip access-list e0-in
!
router(config)#             ! Set up the new version of the access list
!
router(config)#                 ip access-list extended e0-in
!
!
router(config-ext-nacl)#    remark **This list is for packets originating in the 
router(config-ext-nacl)#    remark   outside world, and are heading for the secure
router(config-ext-nacl)#    remark   subnet.**
!
router(config-ext-nacl)#    remark **This list is used to block packets with source 
router(config-ext-nacl)#    remark   addresses that should not exist on the open 
router(config-ext-nacl)#    remark   internet.**
!
!
router(config-ext-nacl)#    remark **This is the loopback address**
!
router(config-ext-nacl)#        deny ip 127.0.0.0 0.255.255.255 any
!
!
router(config-ext-nacl)#    remark **This is sometimes used to mean "this" host**
!
router(config-ext-nacl)#        deny ip 0.0.0.0 0.0.0.0 any
!
!
router(config-ext-nacl)#    remark **These are the IP addresses reserved by IANA**
!
router(config-ext-nacl)#        deny ip 10.0.0.0 0.255.255.255 any
router(config-ext-nacl)#        deny ip 172.16.0.0. 0.15.255.255 any
router(config-ext-nacl)#        deny ip 192.0.2.0 0.0.0.255 any
router(config-ext-nacl)#        deny ip 192.168.0.0. 0.0.255.255 any
router(config-ext-nacl)#        deny ip 240.0.0.0 7.255.255.255 any
router(config-ext-nacl)#        deny ip 224.0.0.0 15.255.255.255 any
!
router(config-ext-nacl)#    remark **This is our own secure subnet address**
!
router(config-ext-nacl)#        deny ip 12x.34.56.0 0.0.0.255 any
!
router(config-ext-nacl)#    remark **This is the network address of the network backbone,
router(config-ext-nacl)#    remark   and there are no hosts on this backbone, only routers**
!
router(config-ext-nacl)#        deny  tcp 12x.34.0.0 0.0.0.255 any
router(config-ext-nacl)#        deny  udp 12x.34.0.0 0.0.0.255 any
!
!
router(config-ext-nacl)#    remark **These entries do the comparisons with the
router(config-ext-nacl)#    remark   reflexive access lists, and so only allow
router(config-ext-nacl)#    remark   packets that are part of connections already
router(config-ext-nacl)#    remark   set up.**
!
router(config-ext-nacl)#        evaluate reflex-tcp
router(config-ext-nacl)#        evaluate reflex-udp
router(config-ext-nacl)#        evaluate reflex-icmp
!
!
router(config-ext-nacl)#        exit
!
!
router(config)#             ! Remove the previous version of the access list
!
router(config)#                 no ip access-list e1-in
!
router(config)#             ! Set up the new version of the access list
!
router(config)#                 ip access-list extended e1-in
!
!
router(config-ext-nacl)#    remark **This list permits outgoing packets with 
router(config-ext-nacl)#    remark   specific port numbers, which are coming
router(config-ext-nacl)#    remark   from the secure subnet, heading for the 
router(config-ext-nacl)#    remark   outside world.**
!
!
router(config-ext-nacl)#    remark **Because the source address is specified for  
router(config-ext-nacl)#    remark   every entry, packets with spoofed ip addresses
router(config-ext-nacl)#    remark   outside the secure subnet address range will
router(config-ext-nacl)#    remark   be blocked.**
!
!
router(config-ext-nacl)#    remark **Telnet**
!
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 23
!
router(config-ext-nacl)#    remark **DNS**
!
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 53
!
router(config-ext-nacl)#    remark **HTTP**
!
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 80
!
router(config-ext-nacl)#    remark **IMAP**
!
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 143
!
router(config-ext-nacl)#    remark **HTTPS**
!
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 443
!
router(config-ext-nacl)#    remark **HP printers**
!
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 any eq 69
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 any eq 161
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 any eq 162
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any range 9100:9102
!
router(config-ext-nacl)#    remark **HP web admin**
!
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 8000
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 any eq 8000
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 any eq 8443
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 any eq 8443
!
!
router(config-ext-nacl)#    remark **These two sections allow NetBIOS only to
router(config-ext-nacl)#    remark   the two servers "Humpty" and "Dumpty" 
router(config-ext-nacl)#    remark   from any pc on the 12x.34.56.0 subnet**
!
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 137
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 137
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 138
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 138
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 139
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 139
!
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 137
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 137
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 138
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 138
router(config-ext-nacl)#        permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 139
router(config-ext-nacl)#        permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 139
!
router(config-ext-nacl)#    remark **This section permits certain types of ICMP packets**
!
router(config-ext-nacl)#    remark **Allow Echo request packets**
!
router(config-ext-nacl)#        permit icmp 12x.34.56.0 0.0.0.255 any echo
!
!
router(config-ext-nacl)#        exit
!
!
!
router(config)#             ! Remove the previous version of the access list
!
router(config)#                 no ip access-list e1-out
!
router(config)#             ! Set up the new version of the access list
!
router(config)#                 ip access-list extended e1-out
!
!
router(config-ext-nacl)#    remark **This list does port blocking on the packets
router(config-ext-nacl)#    remark   coming from the outside world into the secure
router(config-ext-nacl)#    remark   subnet. These packets have already been
router(config-ext-nacl)#    remark   filtered by the reflexive access lists, so
router(config-ext-nacl)#    remark   maybe this is paranoia.**
!
!
router(config-ext-nacl)#    remark **Telnet**
!
router(config-ext-nacl)#        permit tcp any eq 23 12x.34.56.0 0.0.0.255
!
router(config-ext-nacl)#    remark **DNS**
!
router(config-ext-nacl)#        permit tcp any eq 53 12x.34.56.0 0.0.0.255
!
router(config-ext-nacl)#    remark **HTTP**
!
router(config-ext-nacl)#        permit tcp any eq 80 12x.34.56.0 0.0.0.255
!
router(config-ext-nacl)#    remark **IMAP**
!
router(config-ext-nacl)#        permit tcp any eq 143 12x.34.56.0 0.0.0.255
!
router(config-ext-nacl)#    remark **HTTPS**
!
router(config-ext-nacl)#        permit tcp any eq 443 12x.34.56.0 0.0.0.255
!
router(config-ext-nacl)#    remark **HP printers*
!
router(config-ext-nacl)#        permit udp any eq 69 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp any eq 161 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp any eq 162 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp any range 9100:9102 12x.34.56.0 0.0.0.255
!
router(config-ext-nacl)#    remark **HP web admin*
!
router(config-ext-nacl)#        permit tcp any eq 8000 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp any eq 8000 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp any eq 8443 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp any eq 8443 12x.34.56.0 0.0.0.255
!
router(config-ext-nacl)#    remark **These two sections allow NetBIOS only from
router(config-ext-nacl)#    remark   the two servers "Humpty" and "Dumpty" 
router(config-ext-nacl)#    remark   to any pc on the 12x.34.56.0 subnet**
!
router(config-ext-nacl)#        permit udp host 12x.34.50.80 eq 137 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.80 eq 137 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp host 12x.34.50.80 eq 138 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.80 eq 138 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp host 12x.34.50.80 eq 139 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.80 eq 139 12x.34.56.0 0.0.0.255
!
router(config-ext-nacl)#        permit udp host 12x.34.50.85 eq 137 12x.34.56.0 0.0.0.255 
router(config-ext-nacl)#        permit tcp host 12x.34.50.85 eq 137 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp host 12x.34.50.85 eq 138 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.85 eq 138 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit udp host 12x.34.50.85 eq 139 12x.34.56.0 0.0.0.255
router(config-ext-nacl)#        permit tcp host 12x.34.50.85 eq 139 12x.34.56.0 0.0.0.255
!
!
router(config-ext-nacl)#    remark **This section permits certain types of ICMP packets**
!
router(config-ext-nacl)#    remark **Allow Echo Reply packets**
!
router(config-ext-nacl)#        permit icmp any 12x.34.56.0 0.0.0.255 echo-reply
!
!
router(config-ext-nacl)#        exit
!
!
!
router(config)#             ! Configure the two interfaces, and associate the
router(config)#             ! access lists with them
!
router(config)#	                interface ethernet 0
!
router(config-if)#              ip address 12x.34.0.35 255.255.255.0
router(config-if)#              ip access-group e0-in in
router(config-if)#              ip access-group e0-out out
router(config-if)#              no shutdown
!
router(config-if)#              exit
!
!
router(config)#	                interface ethernet 1
!
router(config-if)#              ip address 12x.34.56.1 255.255.255.0
router(config-if)#              ip access-group e1-in in
router(config-if)#              ip access-group e1-out out
router(config-if)#              no shutdown
!
router(config-if)#              exit
!
router(config)#                 exit
router#                         disable
router>

 


© 2005 Ron Turner


Return to the Cisco index page