Questions on Reflexive Access Lists

Hi Sir,
I'm trying to protect a server farm using reflexive access lists. I also would like any hosts to originate connections to the servers on TCP ports 23 (telnet) and 25 (smtp).
The config on the core router is as follows:
int Vlan10
description *** Server Farm ***
ip address 172.16.10.1 255.255.255.0
ip access-group inboundfilters in
ip access-group outboundfilters out
int Vlan20
description *** Marketing Department ***
ip address 172.16.20.1 255.255.255.0
int Vlan30
description *** Engineering Department ***
ip address 172.16.30.1 255.255.255.0
ip access-list extended outboundfilters
permit tcp any any eq telnet
permit tcp any any eq smtp
evaluate iptraffic
ip access-list extended inboundfilters
permit ip any any reflect iptraffic
My questions:
(1) I yet to test the above config on an actual router. However, is it correct theoretically?
(2) If I were to allow outside hosts to initiate connections to the servers on more protocols/ports, I would be adding more normal "permit" statements in the outboundfilters ACL before the "evaluate" statement. Wouldn't this become very static-based, as far as security is concerned?
(3) If you have other better feature options that meet my requirements, please do recommend.
Please advise.
Thank you.
B.Rgds,
Lim TS

Hi Lim,
CBAC is good as well, considering the following features:
1. Traffic Filtering:
- filters TCP and UDP packets based on application-layer protocol session information.
- permit specified TCP and UDP traffic through a firewall when the connection is initiated from inside protected network, or outside network.
2. Traffic Inspection
- discover and manage state information for TCP and UDP sessions which is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.
- Protect against DoS attack by checking/verifying sequence no (must be within the expected range) and discard unknown packets. Same goes to attack via fragmented IP.
3. Alerts and Audit Trails
- can send real-time alerts and audit trails to syslog server (or buffer log)
4. Intrusion Detection
- Embedded with 59 well-known IDS signatures. Similar to IDS features in PIX.
Limitations:
1. Only protect protocol you specify. The rest will depend on ACL you have in the router but not up to session layer.
2. No protection for attacks originating from internal network, unless if you have firewall (pix/asa/ios-firewall) protection.
3. Only protect certain type of well-known attacks only - based on 59 embedded IDS signatures
For spoofing protection, i.e spoof attack from outside/common user segment, maybe you should apply RFC2827 (prevent IP on protected segment from coming back into that segment from outside). Make sure your ACL has the 'establish' keyword as well. As recommended by Cisco, you should apply multiple layer of security protection both on your router and other devices connected to it.
Cheers!

Similar Messages

  • Clienless webvpn and reflexive access list firewall

    I have a Cisco Router 3825 with WEBVPN server and Reflexive access list Firewall. All is well but when i try from outside to go to WEBVPN server and try trought WEBVPN site to open some web Site it dosen`t work. For example when i try to open yahoo.com, the log shows
    "%SEC-6-IPACCESSLOGP: list ACL-FILTER-IN denied tcp 98.138.253.109(80) -> my_ip_address(45341), 1 packet  [ACL_ERROR]"
    98.138.253.109 is yahoo.com ip address
    Can you give my advice how to solve this problem? 

    If you have WEBVPN, then you have the Security-image/license on your router. That means that you are not restricted to reflexive ACLs, you can use a "real" firewall-feature like CBAC or ZBF on that device.

  • Reflexive/established access list

    We want internal hosts that are accessing the Internet to have return traffic from the Internet. We want to have a secure access list inbound. We do not want any/all traffic comming from the Internet. We want only websites that respond from an internal host back into the network. We want to allow access from outside only if that access has been requested from inside, only response for that request. We want to restrict only traffic initiated from the outside only to VPN, SSH and email. The following caused accessing the Internet traffic to slow down and websites did not fully load. Any assistance would be appreciated.
    Thanks.
    Said
    access-list 150 permit tcp any host <firewall outside IP>
    access-list 150 permit tcp any host <Exchange server translated public IP> eq www
    access-list 150 permit tcp any host < Exchange server translated public IP> eq smtp
    access-list 150 permit tcp any host < Exchange server translated public IP> eq 22
    access-list 150 permit tcp any host < Exchange server translated public IP> eq pop3
    access-list 150 permit tcp any any eq telnet
    access-list 150 permit icmp any any
    access-list 150 permit udp any eq domain any
    access-list 150 permit udp any any eq domain
    access-list 150 permit esp any any
    access-list 150 permit gre any any
    access-list 150 permit udp any any eq non500-isakmp
    access-list 150 permit udp any any eq isakmp
    access-list 150 permit tcp any any established
    access-list 150 deny ip any any log
    interface MFR0.724
    router(config-if)#ip access-group 150 in

    Have you considered using CBAC?
    http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
    I like CBAC better. CBAC builds intelligence into the traffic analysis. CBAC should make your connection more secure.
    Reflex documentation
    http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html

  • Access-list port range question

    Hi,
    I would like to clarify the exact operation of the below command:
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    ip access-list extended VoiceACL
    permit udp any any range 16384 16387
    Thus the range statement in the above access list specify that it allow only three ports "16384 to 16387". Is that correct ? Bit confused with this command. One of my friend said that the range statement not just specify 3 ports,but it specify the starting port as 16384 and the end port number 32771 [16384+16387].
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Value1] = starting port number
    [Value2] + [Value1] = end port number
    Thanks
    Nachi

    Hi Nachi,
    This represent the ports ranging between the first number and the last number included, in your case this is actually 4 ports: 16384, 16385, 16386 and 16387
    Regards,
    Raphael

  • Access-list Question

    Hi,
    Can somebody explain me when to use "established" word at the end of access-list.

    "established" is a keyword used in the automatically generated ACLs for TCP return connections.
    check for this URL to get more infirmation.
    http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_320/webprtal/7fire.htm#1110326
    hope it helps ... rate if it does ...

  • NAC access list question

    so we have a NAC in our lab, set up as L3 OOB....we have a vlan set up for internet only access..a route map is configured on the CORE to send the internet only traffic back to the NAC for restrictions (to mimic the inband solution)......in our unauthenticated role policy, we set up the access list on a vlan to only access the internet and block internal address...the weird thing is, the access list on the NAC works on any internal addresses, but when the pc pings/telnets the CORE itself (and any mgnt ip addresses) it works?????....anybody know the reason why...im sure a workaroud is to put an acl on the CORE itself to block that...
    Hope my drawing is enough to assist.....
    CORE--------l3 switch--------pc
    |
    |
    |
    NAC

    That's a great idea - the ACL on the management interfaces of the devices.
    Is the ACL for the unauthenticated role on the L3 switch or the Core?
    I would guess it is on the L3 switch, since it is likely the default gateway for that unauth vlan.
    peter

  • Simple SSH Access-List Question

    I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50.  I forgot the exact access-list configuration to accomplish this.  The subnet is /24 and I don't want the whole subnet - just .1 - .50.
    Thank you,
    Thomas Reiling

    Hi there,
    If using ssh make sure you have a domain name, host name and a generated rsa key.  Assuing you've done that, the the following ACL and line vty command will do the trick.  Note that the 1-50 host list is not on a subnet barrier.
    To get it exactly
    access-list 1 remark ALLOW MANAGEMENT
    access-list 1 permit 192.168.200.0 0.0.0.31
    access-list 1 permit 192.168.200.32 0.0.0.15
    access-list 1 permit 192.168.200.48 0.0.0.1
    access-list 1 host 192.168.200.50
    access-list 1 deny any log
    It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
    access-list 1 remark ALLOW MANAGEMENT
    access-list 1 permit 192.168.200.0 0.0.0.63
    access-list 1 deny   any log
    Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
    line vty 0 4
    access-class 1 in
    transport input ssh
    password blahblah
    That ought to do it.
    good luck!
    Brad

  • Extended access list question

    Hello,
    any suggestions why the following ACL will not apply?
    access-list 100 permit udp any host 192.168.155.18 eq domain
    access-list 100 permit tcp any host 192.168.155.18 eq domain
    access-list 100 permit tcp any host 192.168.155.18 established
    access-list 100 deny udp any host 192.168.155.18
    access-list 100 deny tcp any host 192.168.155.18
    access-list 100 permit ip any any
    interface GigabitEthernet0/2.16
    description Subnetz 192.168.155.16/28
    encapsulation dot1Q 16
    ip address 192.168.155.17 255.255.255.240
    ip access-group 100 in
    The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.
    Thanks,
    Thomas

    Hi Rick,
    no there is no NAT or other things turned on on this device.
    Router#sh ip access-list 100
    Extended IP access list 100
        10 permit udp any host 192.168.155.18 eq domain (379 matches)
        20 permit tcp any host 192.168.155.18 eq domain (5 matches)
        30 permit tcp any host 192.168.155.18 established (1 match)
        40 deny udp any host 192.168.155.18 (788 matches)
        50 deny tcp any host 192.168.155.18 (79 matches)
        60 permit ip any any (562 matches)
    Router#sh ip int gi0/2.16
    GigabitEthernet0/2.16 is up, line protocol is up
      Internet address is 192.168.155.17/28
      Broadcast address is 255.255.255.255
      Address determined by non-volatile memory
      MTU is 1500 bytes
      Helper address is not set
      Directed broadcast forwarding is disabled
      Outgoing access list is not set
      Inbound  access list is not set
      Proxy ARP is disabled
      Local Proxy ARP is disabled
      Security level is default
      Split horizon is enabled
      ICMP redirects are never sent
      ICMP unreachables are always sent
      ICMP mask replies are never sent
      IP fast switching is enabled
      IP fast switching on the same interface is enabled
      IP Flow switching is enabled
      IP CEF switching is enabled
      IP Flow switching turbo vector
      IP Flow CEF switching turbo vector
      IP multicast fast switching is enabled
      IP multicast distributed fast switching is disabled
      IP route-cache flags are Fast, Flow cache, CEF, Full Flow
      Router Discovery is disabled
      IP output packet accounting is disabled
      IP access violation accounting is disabled
      TCP/IP header compression is disabled
      RTP/IP header compression is disabled
      Policy routing is disabled
      Network address translation is disabled
      BGP Policy Mapping is disabled
      WCCP Redirect outbound is disabled
      WCCP Redirect inbound is disabled
      WCCP Redirect exclude is disabled
    Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.
    Thanks,
    Thomas

  • IPSEC access-list question

    Hi,
    I have an access-list with the following line...
    permit ip host 65.119.114.3 62.140.152.0 0.0.0.31
    and its crypto ipsec sa shows up as this, with no packets encaps or decaps.
    protected vrf:
    local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)
    current_peer: 62.140.138.249:500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #send errors 0, #recv errors
    I also show a crypto ipsec sa which doesn't correspond directly to my accesslist. This is the second time I've seen this... is there any part of IPsec where the access-list are shared with the other end? i didn't think so, but I'm not sure how we got this, if not.
    protected vrf:
    local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.252/0/0)
    current_peer: 62.140.138.249:500
    PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22
    #send errors 0, #recv errors 0
    Thanks!!

    Can you post the configuration from this device.
    Regards,
    Arul

  • Vpn site to site and remote access , access lists

    Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

    If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

  • Acl-name in access-list requirements

    Hi,
    I would ask about the acl-name in access-list,
    Does it act as a link between the ACL and an interface?
    or it could be written as any-thing, without any constrains?
    such as
    access-list test_ACL extended permit tcp host 10.105.10.22 host 10.140.180.35 eq ssh
    is it OK?
    or test_ACL should be defined somewhere prior using it in ACL?

    just because the ACL is not defined in an access-group doesn't mean it is not in use. There are several other areas that use ACLs.  Class-maps are another common place where ACLs are used to match on traffic that will be used in a policy-map.  Another comon use for ACLs is to define interesting traffic, or traffic that is to be encrypted, over a site to site VPN.
    But for this specific ACL that you mention, the question you need to answer is, does the ACL define IPs that are assigned within your network, and do you have any applications that require the tcp timeout to be adjusted?  If the answer is no to either of thaese then it is safe to assume you can remove the class-map test_ACL and the class test_ACL under the policy-map configuration.
    Whether the ACL itself can be removed, I would assume it is safe to  remove as it is called test_ACL, but then again, I have see people set up test configurations and then leave them as is without changing the name.  So I would suggest investigating further to see if the name test_ACL is referenced any other places in your configuration.
    Please remember to select a correct answer and rate helpful posts

  • Access-List Process - Urgent Help

    Dear All,
    My question here in this forum , in the Process of :-
    1- Which Interface should I apply this Access-list ?
    2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
    Now, My question is here :-
    Was I correct in choosing the Interface that I will apply this Access-list or not ?
    Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
    I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
    1. Fast Ethernet 0 / 0 :-
    Description : connected to My Network as MY LAN .
    IP Address of this Interface : 192.168.1.10 / 255.255.255.0
    2. Fast Ethernet 0 /1 :-
    Description : connected to Second Network on second Building.
    IP Address of this Interface : 172.16.20.10 / 255.255.0.0
    3. Serial Interface ( S 0 ).
    Description : connected to My Server Farm which is in another Network
    IP Address of this interface : 10.1.8.20 / 255.255.255.0.
    > No any serial interface or any serial connection at all on my 1841 Route.
    > The Default route on My Router is
    > IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
    Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
    As anyone knows, its an Extended Access List.
    So I wrote it like that:-
    Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
    Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
    Router(config)# access-list 102 permit ip any any
    Process of choosing the interface :-
    1- Which Interface should I apply this Access-list ?
    2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
    To answer and to understand the answer, for the 2 questions, here is my Process :-
    First Interface f 0 / 0 :-
    < this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
    Second Interface f 0 / 1 :-
    < this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
    Third Interface S0:-
    Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
    So, final answer will be as following :-
    1- Which Interface should I apply this Access-list ?
    ( Serial / 0 ) .
    2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
    ( Outbound ) .
    Was I correct or not ? please some one is update me.

    The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.

  • Access List - cisco 2600- HELP

    Hi,
    i want ask we, if the access list are bi-directional or it are one-directional?
    If i want negate "LAN A" (eth1) to go in "LAB B" (eth0) which acl i must use and then "LAN B" can go to "LAN A"?
    Thanks

    Emanuele
    When applied on an interface access lists are uni-directional. You can apply an access list inbound on the interface and apply an access list outbound on the interface if you want a bi-directional effect.
    I am not sure that I understand what you are trying to accomplish. I think that I understand that you do not want LAN A to send to LAN B. I am not clear if you want LAN B to be able to send to LAN A, which it sort of sounds like. The problem with this is how to differentiate something coming from LAN A to LAN B which is a response to something that originated from LAN B versus something originated from LAN A. For TCP connections you can use the established concept in the access list, but there is not a good way to handle UDP, ICMP, etc.
    If you do not want either subnet to communicate with the other then I suggest that you write 2 access lists. The first access list would deny traffic with a source in LAN A and a destination in LAN B and would permit other traffic. This access list would be applied outbound on LAN A interface. The second access list would deny traffic with a source in LAN B and a destination in LAN A and would permit other traffic. This access list would be applied outbound on LAN B interface. If you do this I do not see a need for an inbound filter on either interface.
    If I have not understood your question correctly please clarify what you are attempting to accomplish.
    HTH
    Rick

  • Nered to know where I can view ACL denies regarding "access-list deny any log" ?

    I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
    I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. Cheers

    Hi,
    Yes, with an extended access-list with the last line:
    deny ip any any log
    with "sh log" you can  see the source address of the packets being dropped.
    Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
    logging console debugging
    logging monitor debugging
    With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
    access-list 101 deny   tcp any range 0 65535 any range 0 65535 log
    access-list 101 deny   udp any range 0 65535 any range 0 65535 log
    access-list 101 deny   icmp any any log
    access-list 101 deny   ip any any log
    to log the sources and destinations IPs and port numbers.
    Best Regards,
    Pedro Lereno

  • ICMP Inspection and Extended Access-List

    I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA.  From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework.  Is that true?  I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both?  Or is it best practice to do both?
    What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
    policy-map global_policy
    class inspection_default
    inspect_icmp
    However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
    access-list inbound permit icmp any any echo-reply
    access-list inbound permit icmp any any source-quench
    access-list inbound permit icmp any any unreachable 
    access-list inbound permit icmp any any time-exceeded
    access-group inbound in interface outside
    Will the PING complete?
    Thank you,
    T.J.

    Hi, T.J.
    If problem is still actual, I can answer you this question.
    Let's see situation without ICMP inspection enabled:
    The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
    In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
    Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
    If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
    P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower.

Maybe you are looking for