What Are Reflexive Access Lists
They go on the filtering router connecting your network to the outside world. (I'm avoiding "firewall router", since we usually think of a firewall as a dedicated security box now). Reflexive access lists allow you to dynamically open up your filtering router to allow reply packets back through, in response to an outbound TCP connection or UDP session initiated from within your network. This mechanism reduces exposure to spoofing and denial-of-service, since desirable inbound flows are mostly in response to outbound traffic.! create the named extended access list that "sees" the outbound packets
ip access-list extended outbound-packet-watch
permit tcp any any reflect reflexive-temporary-list
permit udp any any reflect reflexive-temporary-list
! create the named extended access list that evaluates the inbound packets
ip access-list extended inbound-packet-catcher
! allow BGP routing but deny ICMP from outside
permit bgp any any
deny icmp any any
evaluate reflexive-temporary-list
interface serial 1/0
! apply the named access list to watch packets leaving the secure network
! as they go out serial 1/0
ip access-group outbound-packet-watch out
ip access-group inbound-packet-catcher in
Ref: http://www.netcraftsmen.net/resources/archived-articles/432.html
No comments:
Post a Comment