Security – Reflexive ACL’s

Today I have been going through some more of the INE Vol2 labs and thought I would do a quick post on reflexive ACL’s.

Reflexive ACL’s

Reflexive ACL’s can be used as a basic kind of ‘stateful’ table on devices to allow traffic back inbound on already established connections.

The reflective part of this feature can only be used on normal traffic flows where the inbound traffic is the same as the traffic that flowed outbound, this means it cannot be used for things like traceroute, VoIP (SIP) calls, FTP (active) and so special considerations should be used for this kind of traffic.

Reflexive ACL’s are configured as a pair and usually applied to the same interface, one in an inbound direction and one in the outbound direction.

To configure reflexive ACL’s we make use of a couple of new commands when creating extended access lists, below is a simple example of a reflexive ACL pair (inbound and outbound) –

R2#conf t
R2(config)#ip access-list extended OUTBOUND
R2(config-ext-nacl)#permit tcp any any reflect STATEFUL
R2(config-ext-nacl)#permit udp any any reflect STATEFUL
R2(config-ext-nacl)#permit icmp any any reflect STATEFUL
R2(config-ext-nacl)#permit ip any any                       
R2(config)#ip access-list extended INBOUND
R2(config-ext-nacl)#evaluate STATEFUL                       # used to insert the reflected rules
R2(config-ext-nacl)#permit icmp any any ttl-exceeded        # allows return traceroute traffic
R2(config-ext-nacl)#permit icmp any any port-unreachable    # allows return traceroute traffic
R2(config-ext-nacl)#deny ip any any log                     # logs any denied traffic
R2(config)#interface FastEthernet0/0
R2(config-if)#ip access-group OUTBOUND out
R2(config-if)#ip access-group INBOUND in

As we can see the configuration is pretty simple, one important thing we need to remember though is to check that no traffic is being blocked that shouldn’t be (e.g. IGP traffic, non-standard traffic) so it is always important to know what traffic should be allowed through and put in explicit permit entries if needed. I have used an explicit deny at the end of the inbound ACL with the log option so that we can see any traffic that is being denied and add explicit permits if needed.

Once the ACL has been applied you can check counters just like any ACL using the ‘show ip access-list’ command, the only difference is that it will now show you the dynamic reflected ACL entries that will be used by the ‘evaluate’ statements.

R2#sh ip access-lists 
Extended IP access list INBOUND
    10 evaluate STATEFUL
    20 permit icmp any any time-exceeded (3 matches)
    30 permit icmp any any port-unreachable (2 matches)
    40 deny ip any any log
Reflexive IP access list STATEFUL
     permit icmp host host  (10 matches) (time left 297)
Extended IP access list OUTBOUND
    10 permit tcp any any reflect STATEFUL (12 matches)
    20 permit udp any any reflect STATEFUL
    30 permit icmp any any reflect STATEFUL (10 matches)
    20 permit ip any any (11 matches)