Reflexive ACLs
What are Reflexive ACLs?
Reflexive ACLS also known as IP-Session-Filtering ACLs, is used to allow traffic sessions from a source network while denying IP traffic for sessions coming from outside network. It allows a network administrator to dynamically enable a network filtering router to manage session traffic. The router examines the outbound traffic and when it sees a new connection, it adds an entry to a temporary ACL to allow replies back in. These entries are automatically created when a new IP session begins and are removed when the session ends.
Reflexive access lists are not applied directly to an interface, but are "nested" within an extended named IP access list that is applied to the interface.
Cisco recommends that reflexive access lists are to be Configure on border routers—routers that pass traffic between an internal and external network. Often, these are firewall routers.
Reflexive ACLs are used to provide a firmer form of session filtering than an extended ACL that uses the established parameter. Reflexive ACLs also work for UDP and ICMP, which have no ACK or RST bits. The established option also does not work with applications that dynamically alter the source port for the session traffic. The permit established statement only checks ACK and RST bits, not source and destination address.
Advantages of Reflexive ACLs
Reflexive ACLs have the following advantages:
- Network Administrators use reflexive ACLs to secure against network hackers, and can be included in a firewall defence.
* It is Simple to use and, compared to basic ACLs, provide greater control over which packets enter your network.
- It provides a level of security against spoofing and certain DoS attacks. Reflexive ACLs are much harder to spoof because more filter criteria must match before a packet is permitted through. For example, source and destination addresses and port numbers, not just ACK and RST bits, are checked.
-
Reflexive ACL Configuration Example
The diagram below shows an example for which a network administrator applies a reflexive ACL to permits ICMP outbound and inbound traffic, while it permits only TCP traffic that has been initiated from inside the network. Assume that all other traffic will be denied. The reflexive ACL is applied to the outbound interface of R2.
Step-by Step Reflexive ACL configuration
Step 1. Enables the router to keep track of all traffic that was initiated from outside networks:
R2 (config)#ip access-list extended OUTBOUNDFILTERS
R2 (config-ext-nacl)#permit tcp 172.16.0.0 0.0.255.255 any reflect TCPTRAFFIC
R2 (config-ext-nacl)#permit icmp 172.16.0.0 0.0.255.255 any reflect ICMPTRAFFIC
Step 2:
Creates an inbound policy that requires the router to check for incoming traffic and verify if it was initiated from inside and ties the reflexive ACL part of the OUTBOUNDFILTERSACL, called TCPTRAFFICK, to the INBOUNDFILTERS ACL:
R2 (config)# ip access-list extended INBOUNDFILTERS
R2 (config-ext-nacl)#evaluate TCPTRAFFIC
R2 (config-ext-nacl)#evaluate ICMPTRAFFIC
Step 3:
Applied both on inbound and an outbound ACL to the interface:
R2(config)# interface s0/1/0
R2(config-if)#ip access-group INBOUNDFILTERS in
R2(config-if)#ip access-group OUTBOUNDFILTERS out
