Let's refer the diagram. Imagine R3 is Internet. Requirement is R1 wants to access R3 but R3 cannot access R1. This cannot be achieved by regular ACLs. Because if you block R3's traffic to R1 using an ACL, R1 will not be able to access R3 as R1 to R3's reply traffic will also be denied. This is because the reply traffic has the source address of R3 which will be blocked by the ACL.
So someway to remember R1 to R3 traffic must be needed in order to allow only it's reply traffic to come in.. This can be achieved by following 3 methods in Cisco IOS.
1. Reflective ACLs
2. Context Based Access Control (CBAC)
3. Zone Based IOS firewall implementation
In this post I am going to do it by Reflective ACL method.
First I am creating an ACL which has a permit statement for the traffic sourced from 192.168.12.1 and destined to any. I use the reflect option for that traffic which will create a dynamic mirror ACL (source and destination swapped) called REMEMBER.
R2(config)#ip access-list extended GOING-OUT
R2(config-ext-nacl)#permit ip host 192.168.12.1 any reflect REMEMBER
R2(config-ext-nacl)#permit ip any any log
The second permit statement above will allow all other traffic to go through but without reflect option, their reply traffic will be blocked by the following ACL.
This ACL which refers REMEMBER denies all other traffic.
R2(config)#ip access-list extended COMMING-IN
R2(config-ext-nacl)#evaluate REMEMBER
R2(config-ext-nacl)#deny ip any any
Now the following configuration will apply the above 2 ACLs to the outgoing interface of R2.
R2(config)#interface e0/1
R2(config-if)#ip access-group GOING-OUT out
R2(config-if)#ip access-group COMMING-IN in
As you can see, a new reflective ACL is dynamically created with source and destinations swapped. You can also see that it has a time left value. This value is default to 300 seconds and can be adjusted. It is the time duration which the router remembers the passed traffic.
So someway to remember R1 to R3 traffic must be needed in order to allow only it's reply traffic to come in.. This can be achieved by following 3 methods in Cisco IOS.
1. Reflective ACLs
2. Context Based Access Control (CBAC)
3. Zone Based IOS firewall implementation
In this post I am going to do it by Reflective ACL method.
First I am creating an ACL which has a permit statement for the traffic sourced from 192.168.12.1 and destined to any. I use the reflect option for that traffic which will create a dynamic mirror ACL (source and destination swapped) called REMEMBER.
R2(config)#ip access-list extended GOING-OUT
R2(config-ext-nacl)#permit ip host 192.168.12.1 any reflect REMEMBER
R2(config-ext-nacl)#permit ip any any log
The second permit statement above will allow all other traffic to go through but without reflect option, their reply traffic will be blocked by the following ACL.
This ACL which refers REMEMBER denies all other traffic.
R2(config)#ip access-list extended COMMING-IN
R2(config-ext-nacl)#evaluate REMEMBER
R2(config-ext-nacl)#deny ip any any
Now the following configuration will apply the above 2 ACLs to the outgoing interface of R2.
R2(config)#interface e0/1
R2(config-if)#ip access-group GOING-OUT out
R2(config-if)#ip access-group COMMING-IN in
As you can see, a new reflective ACL is dynamically created with source and destinations swapped. You can also see that it has a time left value. This value is default to 300 seconds and can be adjusted. It is the time duration which the router remembers the passed traffic.
No comments:
Post a Comment