Cisco: Reflexive ACL
Tasks
Topology Reflexive ACL ac6665a0-c406-4f46-8b30-b205290aedb7
network-security.acl.reflexive-acl.2rt.2sw.4node.1ext-conn.static.ac6665a0
- Topology Description: Reflexive ACL
- Topology ID: ''ac6665a0-c406-4f46-8b30-b205290aedb7''
- Design and Technology:
- Reflexive ACL
- Routing Protocol
- static
- 2 routers
- 4 servers
- Remarks: N/A
### Links
Cisco: Reflexive ACL [PG1X WIKI]
https://pg1x.com/tech:network:cisco:security:network-security:acl:reflexive-acl:reflexive-acl
-
-
Base Configuration
Common Configuration Snippet
Million common configuration is here.
-
-
trex-0
# this is a shell script which will be sourced at boot
# if you change the hostname then you need to add a
# /etc/hosts entry as well
# hostname inserthostname_here
# like this:
# echo "127.0.0.1 inserthostname_here" >>/etc/hosts
echo "trex-0" >/etc/hostname
cat <<EOF >/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
hostname trex-0
address 10.1.1.254
netmask 255.255.255.0
#gateway 10.1.1.1
#dns-nameservers 8.8.8.8
EOF
service networking restart
#ip addr add 10.1.1.254/24 dev eth0
#ip route add 0.0.0.0/0 via 10.1.1.1
#ip link set eth0 up
trex-1
# this is a shell script which will be sourced at boot
# if you change the hostname then you need to add a
# /etc/hosts entry as well
# hostname inserthostname_here
# like this:
# echo "127.0.0.1 inserthostname_here" >>/etc/hosts
echo "trex-1" >/etc/hostname
cat <<EOF >/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
hostname trex-1
address 198.51.100.252
netmask 255.255.255.0
#gateway 198.51.100.2
#dns-nameservers 8.8.8.8
EOF
service networking restart
#ip addr add 198.51.100.252/24 dev eth0
#ip route add 0.0.0.0/0 via 198.51.100.2
#ip link set eth0 up
ubuntu-0
#cloud-config
password: cisco
chpasswd: { expire: False }
hostname: ubuntu-0
ssh_pwauth: True
ssh_authorized_keys:
- ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
package_upgrade: true
packages:
- curl
- vsftpd
- ftp
- iperf3
- nc
- bind-utils
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
permissions: '0644'
content: |
network:
version: 2
ethernets:
enp0s2:
dhcp4: true
dhcp6: true
match:
name: enp0s2
enp0s3:
match:
name: enp0s3
addresses:
- 10.1.1.253/24
routes:
- to: 198.51.100.0/24
via: 10.1.1.1
metric: 0
- to: 203.0.113.0/24
via: 10.1.1.1
metric: 0
#gateway4: 10.1.1.1
#nameservers:
# addresses:
# - 8.8.8.8
runcmd:
- [ sudo, netplan, generate ]
- [ sudo, netplan, apply ]
ubuntu-1
#cloud-config
password: cisco
chpasswd: { expire: False }
hostname: ubuntu-1
ssh_pwauth: True
ssh_authorized_keys:
- ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
package_upgrade: true
packages:
- curl
- vsftpd
- ftp
- iperf3
- nc
- bind-utils
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
permissions: '0644'
content: |
network:
version: 2
ethernets:
enp0s3:
match:
name: enp0s3
addresses:
- 198.51.100.251/24
routes:
- to: 10.1.1.0/24
via: 198.51.100.2
metric: 0
- to: 203.0.113.0/24
via: 198.51.100.2
metric: 0
#gateway4: 198.51.100.2
#nameservers:
# addresses:
# - 8.8.8.8
runcmd:
- [ sudo, netplan, generate ]
- [ sudo, netplan, apply ]
R1
configure terminal
!
interface GigabitEthernet 0/0
ip address 10.1.1.1 255.255.255.0
no shutdown
interface GigabitEthernet 0/1
ip address 203.0.113.1 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 203.0.113.2
!
end
R2
configure terminal
!
interface GigabitEthernet 0/0
ip address 198.51.100.2 255.255.255.0
no shutdown
interface GigabitEthernet 0/1
ip address 203.0.113.2 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 203.0.113.1
!
end
R1 ICMP and Reflexive
ACL (TCP)
configure terminal
!
ip access-list extened ACL_OUTBOUND
permit icmp any any
permit tcp any any reflect REFLECT_TCP timeout 120
!
ip access-list extened ACL_INBOUND
permit icmp any any
evaluate REFLECT_TCP
!
interface GigabitEthernet 0/1
ip access-group ACL_OUTBOUND out
ip access-group ACL_INBOUND in
!
end
R1 Reflexive
ACL (ICMP, TCP, UDP)
configure terminal
!
ip access-list extened ACL_OUTBOUND
permit icmp any any reflect REFLECT_ICMP timeout 60
permit tcp any any reflect REFLECT_TCP timeout 120
permit udp any any reflect REFLECT_UDP timeout 120
!
ip access-list extened ACL_INBOUND
evaluate REFLECT_ICMP
evaluate REFLECT_TCP
evaluate REFLECT_UDP
!
interface GigabitEthernet 0/1
ip access-group ACL_OUTBOUND out
ip access-group ACL_INBOUND in
!
end
configure terminal
!
ip access-list extened ACL_OUTBOUND
permit tcp any any
!
ip access-list extened ACL_INBOUND
permit tcp any any established
!
interface GigabitEthernet 0/1
ip access-group ACL_OUTBOUND out
ip access-group ACL_INBOUND in
!
end
Verification
Wireshark Display Filter
icmp
udp
tcp
ssh ubuntu@198.51.100.251
nc 198.51.100.251 33333
ping 198.51.100.251
# UDP client
nc -u 198.51.100.251 33333
# ICMP echo reply different path
ping -I 10.0.255.31 198.51.100.251
ftp 198.51.100.251
passive
passive off
nc -l 33333
ping 10.1.1.253
ping -I 198.51.100.251 10.1.1.253
# wrong!! YAMAHA only
ping -sa 198.51.100.251 10.1.1.253
# UDP server
nc -lu 33333
# ICMP echo reply different path
ping -I 10.0.255.32 10.1.1.253
sudo tcpdump -i enp0s2
FTP passive mode
PASV\r\n
227 Entering Passive Mode (198,51,100,251,155,200).\r\n
155 * 256 + 200 = 39880
FTP active mode
PORT 10,1,1,253,222,211\r\n
222 * 256 + 211 = 57043
disable RPF check
# not work
echo 0 | sudo tee /proc/sys/net/ipv4/conf/all/rp_filter
R1 Console Log
server-0 Console Log
server-1 Console Log
Wireshark Packet Capture Result
man 8 ping
References