Using Named and Reflexive Access-Lists
Problem
You want to use a reflexive ACL, embedded in a named ACL.
Solution
A basic named ACL is similar to the numbered ACLs that we discussed earlier in this chapter. They can work like either Standard or Extended IP ACLs:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip access-list standard STANDARD-ACL Router1(config-std-nacl)#remark This is a standard ACL Router1(config-std-nacl)#permit any log Router1(config-std-nacl)#exit Router1(config)#ip access-list extended EXTENDED-ACL Router1(config-ext-nacl)#remark This is an extended ACL Router1(config-ext-nacl)#deny tcp any any eq www Router1(config-ext-nacl)#permit ip any any log Router1(config-ext-nacl)#exit Router1(config)#interface Serial0/1 Router1(config-if)#ip access-group STANDARD-ACL in Router1(config-if)#exit Router1(config)#end Router1#
You can embed a reflexive ACL inside of a named Extended IP ACL. The reflect keyword defines the reflexive ACL rule, and the evaluate command executes it. The following example filters ICMP packets so that you can initiate a PING test from one side of the network, but not the other:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip access-list extended PING-OUT Router1(config-ext-nacl)#permit icmp any any reflect ICMP-REFLECT timeout 15 Router1(config-ext-nacl)#permit ip any any Router1(config-ext-nacl)#exit Router1(config)#ip access-list extended PING-IN Router1(config-ext-nacl)#evaluate ICMP-REFLECT Router1(config-ext-nacl)#deny icmp any any log Router1(config-ext-nacl)#permit ip any any Router1(config-ext-nacl)#exit Router1(config)#interface Serial0/1 Router1(config-if)#ip access-group PING-OUT out Router1(config-if)#ip access-group PING-IN in Router1(config-if)#end Router1#
Discussion
The first example in this recipe just demonstrates how to use named ACLs. There is very little difference between this example and the one shown in Recipe 19.1, except that here we have used a different type of ACL to accomplish the same thing. One useful difference between the two versions is that you can delete an individual rule from a named ACL:
Router1#show access-list EXTENDED-ACL Extended IP access list EXTENDED-ACL deny tcp any any eq www permit ip any any log Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip access-list extended EXTENDED-ACL Router1(config-ext-nacl)#no deny tcp any any eq www Router1(config-ext-nacl)#end Router1#show access-list EXTENDED-ACL Extended IP access list EXTENDED-ACL permit ip any any log Router1#
Just as with numbered ACLs, however, you cannot add individual rules to the middle of a named ACL.
Named ACLs start to show their real value, though, when you need to use more advanced features, such as reflexive ACLs, as we did in the second example. This example is similar in spirit to what we did to restrict TCP sessions in Recipe 19.5. In that case, we wanted to ensure that users on the trusted side of the network could initiate TCP connections to the untrusted side, but any incoming connection attempts would be rejected. Here we do the same thing with ICMP packets.
Of course, because TCP is a connection-oriented protocol, it is not quite so difficult to determine which side initiated the session. But ICMP doesn't have the concept of a session. So what we have to do is wait until somebody on the inside sends an ICMP packet to somebody on the outside. When this happens, we tell the router that it can expect to see an appropriate ICMP response from the same IP address, so it should let that packet through.
Let's look at the outbound ACL first:
Router1(config)#ip access-list extended PING-OUT Router1(config-ext-nacl)#permit icmp any any reflect ICMP-REFLECT timeout 15 Router1(config-ext-nacl)#permit ip any any
The first permit command includes the keyword reflect and defines the reflection rule name as ICMP-REFLECT. We have applied this ACL to watch for outbound packets on the interface. As soon as we send out an ICMP packet, such as a PING query, the router starts looking for the reflected version of this packetin this case, a PING response.
In this example, we have gone further than this by including the timeout keyword at the end of the line with an argument of 15. This tells the router that it should not wait more than 15 seconds after the last outbound packet for additional inbound packets.
The inbound rule uses the evaluate keyword to dynamically enable the reflection rule:
Router1(config)#ip access-list extended PING-IN Router1(config-ext-nacl)#evaluate ICMP-REFLECT Router1(config-ext-nacl)#deny icmp any any log Router1(config-ext-nacl)#permit ip any any
Notice that this is the same rule name, ICMP-REFLECT, as we previously defined in the outbound ACL. If the incoming packet looks like a reflected version of whatever was defined when we created this rule, the ACL will permit the packet. If the packet doesn't match this rule, then it will continue checking the rest of the ACL normally. In this case, we have followed the evaluate command with a command that will explicitly deny all other ICMP packets that don't match the reflection rule.
Note that the router will check the reflected packet to ensure that it has the correct source and destination addresses, based on the outbound packet. If you use reflexive ACLs to match a UDP application, for example, the router will also check port numbers to ensure that the inbound packet is legitimate.
See Also
Recipe 19.1; Recipe 19.5