Cisco: Reflexive ACL

Reflexive, ACL, ACL, Network-Security, Security, Networking, Cisco, nc, ftp

Tasks

~~ACL established: ICMP ping~~
~~ACL established: UDP: nc~~
~~ACL established: TCP: Passive~~
~~ACL established: TCP: Active~~
~~Reflexive ACL: ICMP ping~~
~~Reflexive ACL: UDP: nc~~
~~Reflexive ACL: TCP: Passive~~
~~Reflexive ACL: TCP: Active~~

Topology Reflexive ACL ac6665a0-c406-4f46-8b30-b205290aedb7

network-security.acl.reflexive-acl.2rt.2sw.4node.1ext-conn.static.ac6665a0

- Topology Description: Reflexive ACL
- Topology ID: ''ac6665a0-c406-4f46-8b30-b205290aedb7''
- Design and Technology:
  - Reflexive ACL
  - Routing Protocol
    - static
  - 2 routers
  - 4 servers
- Remarks: N/A

### Links

Cisco: Reflexive ACL [PG1X WIKI]
https://pg1x.com/tech:network:cisco:security:network-security:acl:reflexive-acl:reflexive-acl

Base Configuration

Common Configuration Snippet

trex-0

trex-0

# this is a shell script which will be sourced at boot
# if you change the hostname then you need to add a
# /etc/hosts entry as well
# hostname inserthostname_here
# like this:
# echo "127.0.0.1   inserthostname_here" >>/etc/hosts
echo "trex-0" >/etc/hostname
cat <<EOF >/etc/network/interfaces
auto lo
iface lo inet loopback
 
auto eth0
iface eth0 inet dhcp
 
auto eth1
iface eth1 inet static
        hostname trex-0
        address 10.1.1.254
        netmask 255.255.255.0
        #gateway 10.1.1.1
        #dns-nameservers 8.8.8.8
EOF
service networking restart
#ip addr add 10.1.1.254/24 dev eth0
#ip route add 0.0.0.0/0 via 10.1.1.1
#ip link set eth0 up

trex-1

trex-1

# this is a shell script which will be sourced at boot
# if you change the hostname then you need to add a
# /etc/hosts entry as well
# hostname inserthostname_here
# like this:
# echo "127.0.0.1   inserthostname_here" >>/etc/hosts
echo "trex-1" >/etc/hostname
cat <<EOF >/etc/network/interfaces
auto lo
iface lo inet loopback
 
auto eth0
iface eth0 inet dhcp
 
auto eth1
iface eth1 inet static
        hostname trex-1
        address 198.51.100.252
        netmask 255.255.255.0
        #gateway 198.51.100.2
        #dns-nameservers 8.8.8.8
EOF
service networking restart
#ip addr add 198.51.100.252/24 dev eth0
#ip route add 0.0.0.0/0 via 198.51.100.2
#ip link set eth0 up

ubuntu-0

ubuntu-0

#cloud-config
password: cisco
chpasswd: { expire: False }
hostname: ubuntu-0
ssh_pwauth: True
ssh_authorized_keys:
   - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
package_upgrade: true
packages:
   - curl
   - vsftpd
   - ftp
   - iperf3
   - nc
   - bind-utils
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
  permissions: '0644'
  content: |
     network:
        version: 2
        ethernets:
           enp0s2:
              dhcp4: true
              dhcp6: true
              match:
                 name: enp0s2
           enp0s3:
              match:
                 name: enp0s3
              addresses:
                 - 10.1.1.253/24
              routes:
                 - to: 198.51.100.0/24
                   via: 10.1.1.1
                   metric: 0
                 - to: 203.0.113.0/24
                   via: 10.1.1.1
                   metric: 0
              #gateway4: 10.1.1.1
              #nameservers:
              #   addresses:
              #      - 8.8.8.8
runcmd:
   - [ sudo, netplan, generate ]
   - [ sudo, netplan, apply ]

ubuntu-1

ubuntu-1

#cloud-config
password: cisco
chpasswd: { expire: False }
hostname: ubuntu-1
ssh_pwauth: True
ssh_authorized_keys:
   - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
package_upgrade: true
packages:
   - curl
   - vsftpd
   - ftp
   - iperf3
   - nc
   - bind-utils
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
  permissions: '0644'
  content: |
     network:
        version: 2
        ethernets:
           enp0s3:
              match:
                 name: enp0s3
              addresses:
                 - 198.51.100.251/24
              routes:
                 - to: 10.1.1.0/24
                   via: 198.51.100.2
                   metric: 0
                 - to: 203.0.113.0/24
                   via: 198.51.100.2
                   metric: 0
              #gateway4: 198.51.100.2
              #nameservers:
              #   addresses:
              #      - 8.8.8.8
runcmd:
   - [ sudo, netplan, generate ]
   - [ sudo, netplan, apply ]

R1

R1

configure terminal
!
interface GigabitEthernet 0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 203.0.113.1 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 203.0.113.2
!
end

R2

R2

configure terminal
!
interface GigabitEthernet 0/0
 ip address 198.51.100.2 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 203.0.113.2 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 203.0.113.1
!
end

Configure Reflexive ACL a4a53d6b-8132-467b-997a-1845e7a6c5a4

R1 ICMP and Reflexive ACL (TCP)

configure terminal
!
ip access-list extened ACL_OUTBOUND
 permit icmp any any
 permit tcp any any reflect REFLECT_TCP timeout 120
!
ip access-list extened ACL_INBOUND
 permit icmp any any
 evaluate REFLECT_TCP
!
interface GigabitEthernet 0/1
 ip access-group ACL_OUTBOUND out
 ip access-group ACL_INBOUND in
!
end

R1 Reflexive ACL (ICMP, TCP, UDP)

configure terminal
!
ip access-list extened ACL_OUTBOUND
 permit icmp any any reflect REFLECT_ICMP timeout 60
 permit tcp any any reflect REFLECT_TCP timeout 120
 permit udp any any reflect REFLECT_UDP timeout 120
!
ip access-list extened ACL_INBOUND
 evaluate REFLECT_ICMP
 evaluate REFLECT_TCP
 evaluate REFLECT_UDP
!
interface GigabitEthernet 0/1
 ip access-group ACL_OUTBOUND out
 ip access-group ACL_INBOUND in
!
end

R1 ACL TCP established

configure terminal
!
ip access-list extened ACL_OUTBOUND
 permit tcp any any
!
ip access-list extened ACL_INBOUND
 permit tcp any any established
!
interface GigabitEthernet 0/1
 ip access-group ACL_OUTBOUND out
 ip access-group ACL_INBOUND in
!
end

Verification

Wireshark Display Filter

icmp
udp
tcp

ubuntu-0

ssh ubuntu@198.51.100.251
nc 198.51.100.251 33333
ping 198.51.100.251
# UDP client
nc -u 198.51.100.251 33333
# ICMP echo reply different path
ping -I 10.0.255.31 198.51.100.251

ftp 198.51.100.251
passive
passive off

ubuntu-1

nc -l 33333
ping 10.1.1.253
ping -I 198.51.100.251 10.1.1.253
# wrong!! YAMAHA only
ping -sa 198.51.100.251 10.1.1.253
# UDP server
nc -lu 33333
# ICMP echo reply different path
ping -I 10.0.255.32 10.1.1.253
sudo tcpdump -i enp0s2

FTP passive mode

PASV\r\n
227 Entering Passive Mode (198,51,100,251,155,200).\r\n

155 * 256 + 200 = 39880

FTP active mode

PORT 10,1,1,253,222,211\r\n

222 * 256 + 211 = 57043

disable RPF check

# not work
echo 0 | sudo tee /proc/sys/net/ipv4/conf/all/rp_filter

R1 Console Log

server-0 Console Log

server-1 Console Log

Wireshark Packet Capture Result

man 8 ping

References

PG1X WIKI

User Tools

Site Tools

Table of Contents

Cisco: Reflexive ACL

Tasks

Topology Reflexive ACL ac6665a0-c406-4f46-8b30-b205290aedb7

Base Configuration

Configure Reflexive ACL a4a53d6b-8132-467b-997a-1845e7a6c5a4

Verification

References

Page Tools