PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:security:network-security:acl:reflexive-acl:reflexive-acl

Cisco: Reflexive ACL

Tasks

  1. ACL established: ICMP ping
  2. ACL established: UDP: nc
  3. ACL established: TCP: Passive
  4. ACL established: TCP: Active
  5. Reflexive ACL: ICMP ping
  6. Reflexive ACL: UDP: nc
  7. Reflexive ACL: TCP: Passive
  8. Reflexive ACL: TCP: Active

Topology Reflexive ACL ac6665a0-c406-4f46-8b30-b205290aedb7

network-security.acl.reflexive-acl.2rt.2sw.4node.1ext-conn.static.ac6665a0

- Topology Description: Reflexive ACL
- Topology ID: ''ac6665a0-c406-4f46-8b30-b205290aedb7''
- Design and Technology:
  - Reflexive ACL
  - Routing Protocol
    - static
  - 2 routers
  - 4 servers
- Remarks: N/A

### Links

Cisco: Reflexive ACL [PG1X WIKI]
https://pg1x.com/tech:network:cisco:security:network-security:acl:reflexive-acl:reflexive-acl

Base Configuration

Common Configuration Snippet

trex-0

trex-1

ubuntu-0

ubuntu-1

R1

R2

Configure Reflexive ACL a4a53d6b-8132-467b-997a-1845e7a6c5a4

  • R1 ICMP and Reflexive ACL (TCP)
configure terminal
!
ip access-list extened ACL_OUTBOUND
 permit icmp any any
 permit tcp any any reflect REFLECT_TCP timeout 120
!
ip access-list extened ACL_INBOUND
 permit icmp any any
 evaluate REFLECT_TCP
!
interface GigabitEthernet 0/1
 ip access-group ACL_OUTBOUND out
 ip access-group ACL_INBOUND in
!
end
  • R1 Reflexive ACL (ICMP, TCP, UDP)
configure terminal
!
ip access-list extened ACL_OUTBOUND
 permit icmp any any reflect REFLECT_ICMP timeout 60
 permit tcp any any reflect REFLECT_TCP timeout 120
 permit udp any any reflect REFLECT_UDP timeout 120
!
ip access-list extened ACL_INBOUND
 evaluate REFLECT_ICMP
 evaluate REFLECT_TCP
 evaluate REFLECT_UDP
!
interface GigabitEthernet 0/1
 ip access-group ACL_OUTBOUND out
 ip access-group ACL_INBOUND in
!
end
  • R1 ACL TCP established
configure terminal
!
ip access-list extened ACL_OUTBOUND
 permit tcp any any
!
ip access-list extened ACL_INBOUND
 permit tcp any any established
!
interface GigabitEthernet 0/1
 ip access-group ACL_OUTBOUND out
 ip access-group ACL_INBOUND in
!
end

Verification

Wireshark Display Filter

icmp
udp
tcp
  • ubuntu-0
ssh ubuntu@198.51.100.251
nc 198.51.100.251 33333
ping 198.51.100.251
# UDP client
nc -u 198.51.100.251 33333
# ICMP echo reply different path
ping -I 10.0.255.31 198.51.100.251
ftp 198.51.100.251
passive
passive off
  • ubuntu-1
nc -l 33333
ping 10.1.1.253
ping -I 198.51.100.251 10.1.1.253
# wrong!! YAMAHA only
ping -sa 198.51.100.251 10.1.1.253
# UDP server
nc -lu 33333
# ICMP echo reply different path
ping -I 10.0.255.32 10.1.1.253
sudo tcpdump -i enp0s2

FTP passive mode

PASV\r\n
227 Entering Passive Mode (198,51,100,251,155,200).\r\n
155 * 256 + 200 = 39880

FTP active mode

PORT 10,1,1,253,222,211\r\n
222 * 256 + 211 = 57043

disable RPF check

# not work
echo 0 | sudo tee /proc/sys/net/ipv4/conf/all/rp_filter

R1 Console Log

server-0 Console Log

server-1 Console Log

Wireshark Packet Capture Result

man 8 ping

References

tech/network/cisco/security/network-security/acl/reflexive-acl/reflexive-acl.txt · Last modified: 2020/09/22 14:00 by wnoguchi