By default, an access-list doesn’t keep track of the sessions. An access-list consist of various permit and deny rules which are scanned from top to bottom. If any of the condition matches then it is executed and no other condition is matched.
For a very small office, a reflexive Access-list acts as stateful firewall as it allows only those traffic which is initiated within the network and deny other packets coming from outside network.
Reflexive Access-list –
Reflexive Access-list is an access-list which allows only the replies of the packets of the sessions initiated within the network (from the outside network) .
When a session is initiated within the network and going outside the network through router (operating reflexive Access-list), reflexive Access-list are triggered.Therefore, it creates a temporary entry for the traffic which is initiated within the network and allows only those traffic from the outside network which is a part of the session (traffic generated within the network).This temporary entry is removed when the session ends.
characteristics of temporary entry –
- The entry specifies the same source and destination address as original outbound packet (the packet going outside the network), except they are swapped when coming from outside the network.
- The entries should have same source and destination port number as the original outbound packet, except they are swapped when coming from outside the network.
- The entry should have same protocol as the original outbound packet.
Characteristics of Reflexive access-list –
- Reflexive Access-list should be nested inside the named Extended Access-list.
- It cannot be applied directly to an interface.
- A temporary entry is generated when a session begins and automatically destroyed when session ends.
- It does not have implicit deny at the end of Access-list.
- Just like normal access-list, if one the condition matches then no more entries are evaluated.
- Reflexive Access-list cannot be defined with numbered Access-list
- Reflexive Access-list cannot be defined with named or numbered standard Access-list.
There are 2 routers namely router1 (ip address – 10.1.1.1/24 on fa0/0 and 11. 1.1.1/24 on fa0/1), router2 (ip address-126.96.36.199/24 on fa0/0 and 188.8.131.52/24 on fa0/1) and PC1 (ip address-10.1.1.2/24) and PC2 (ip address-184.108.40.206/24). First, we will give routes, through EIGRP, to all the routers so that PCs will be able to ping each other.
Configuring Eigrp on router1:
router1(config)#router Eigrp 100 router1(config-router)#network 10.1.1.0 router1(config-router)#network 220.127.116.11 router1(config-router)#No auto-summary
Configuring Eigrp on router2:
router2(config)#router Eigrp 100 router2(config-router)#network 18.104.22.168 router2(config-router)#network 22.214.171.124 router2(config-router)#No auto-summary
Now, we will allow ip, tcp and udp traffic from inside the network (10.1.1.0 network) and evaluate the traffic coming from outside the network (126.96.36.199 and 188.8.131.52 network). Creating Access-list named as reflexive for the inside traffic going outside.
router1(config)#ip Access-list extended reflexive router1(config-ext-na)#permit ip any any reflect ip_database router1(config-ext-nacl)#permit tcp any any reflect tcp_database router1(config-ext-nacl)#permit udp any any reflect udp_database
Here, we have allowed ip, tcp and udp traffic and we have named it as ip_database, tcp_database and udp_database.
Here, Reflexive is the name of the Access-list and not a keyword. Now, apply this Access-list to the outbound of int fa0/1 of router1 so that the traffic going out the router should be allowed.
router1(config)#int fa0/1 router1(config-if)#ip access-group reflexive out
Now, apply an access-list for inbound traffic i.e traffic coming inside the network. We should allow only that traffic to come inside if it is initiated by the inside (10.1.1.0) network.
router1(config)#ip access-list extended reflexive_in router1(config-ext-nacl)#permit Eigrp any any router1(config-ext-nacl)#evaluate tcp_database router1(config-ext-nacl)#evaluate udp_database router1(config-ext-nacl)#evaluate ip_database
Here, we have allowed Eigrp traffic so that reachability should be there between the routers otherwise no traffic will be able to come back inside ether network.
We have evaluated the udp_databse, ip_database and tcp_database so that traffic (tcp, udp or ip) is allowed which has been initiated inside the network. Now, apply this to interface fa0/1 in the inside direction because the traffic coming inside should be evaluated.
router1(config)#int fa0/1 router1(config-if)#ip access-group reflexive_in in
Here, reflexive_in is the name of the Access-list.
Advantages – Advantages of reflexive Access-list are:
- Easy to implement.
- Provides greater control over the traffic coming from the outside network.
- Provides security from certain Dos attacks and spoofing.
- Some applications uses dynamic ports due to which failure can occur as for the reflexive Access-list the source and destination ports should be static.