Monday, May 21, 2012

Reflexive access lists

Bascially, very similar to Cisco Zone Based Firewall.

1. define an access-list Egress to allow matched outbound traffic, apply it on to interface, once the traffic is matched, it will create a timed reflexive access-list - Mirror 
Router(config)# ip access-list extended Egress
Router(config-ext-nacl)# permit ip any any reflect Mirror
Router(config-ext-nacl)# interface f0/1
Router(config-if)# ip access-group out Egress


2. defind an access-list Ingress (which will reference the reflexive access-list - Mirror) to allow match inbound traffic 
Router(config)# ip access-list extended Ingress
Router(config-ext-nacl)# evaluate Mirror
Router(config-ext-nacl)# interface f0/1
Router(config-if)# ip access-group in Ingress

Very good reference of Cisco reflexive access lists, way way better than Cisco's own reference!
http://packetlife.net/blog/2008/nov/25/reflexive-access-lists/
Configuring IP Session Filtering (Reflexive Access Lists)
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)