Reflexive Access List

Configuration, Security 3 Comments

Some of my readers commented on my old article about reflexive access-list with issues in the configuration. I tried it in the lab again to be sure I didn’t make any mistake in the configuration example and here I’m sharing the lab and the config used.

About Reflexive Access Lists

Extended ACLs are a special kind of extended access-lists that have limited stateful behaviour technique implemented for TCP sessions. It is better to say that reflexive access-list is simulating stateful behaviour because it, by use of ‘established’ command, is allowing TCP packets that have the ‘ACK’ bit set but not the initial ‘SYN-only’ packet. In this way, we are effectively permitting only the packets that are part of an established session.

In my prior article, I showed how this works by enabling PING from PC1 in VLAN 10 to PC2 in VLAN 20 but not the other way.

I created the lab topology in GNS3:

I used standard Cisco router image to simulate R1 and PC1 and PC2 I only changed the icon on PC1 and PC2. Full configs are at the bottom. I configured the router-on-the-stick making the simplest topology with trunk between the switch and the R1 and two VLANs on the SWITCH. Switch config is also at the bottom.

Access-list is configured like this:

ip access-list extended TEST
 permit tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 established
 permit icmp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply
 deny   ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
 permit ip any any
!

And applied inbound on the subinterface of VLAN20:

interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 20.20.20.1 255.255.255.0
 ip access-group TEST in
!

This reflexive access-list is allowing traffic back from VLAN20 (20.20.20.0/24) to VLAN10 (10.10.10.0/24) only if the traffic was firstly initiated from VLAN10. In this way, only PING initiated at PC1 (10.10.10.10) towards PC2 (20.20.20.10) will succeed but PING from 20.20.20.10 to 10.10.10.10 will give you IP address unreachable:

PING OK:

PC1#ping 20.20.20.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/32 ms
PC1#

PING Unreachable:

PC2#ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
PC2#

So, it seems that the lab is showing I did it on my first try few years ago. I hope this lab with complete configuration will help my readers that reached back to me, to find where they went wrong. Of course, if you need more help, just leave a comment and I will try to help 🙂

You can also download GNS3 lab project here to get started with working thing from the start. I made this in GNS3 version 2.0

All Configurations

R1:

R1#sh runn
!
hostname R1
!
interface FastEthernet0/0
 no ip address
 no sh
 duplex full
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 20.20.20.1 255.255.255.0
 ip access-group TEST in
!
ip access-list extended TEST
 permit tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 established
 permit icmp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply
 deny   ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
 permit ip any any
!
R1#

PC1:

PC1#sh runn
!
hostname PC1
!
interface FastEthernet0/0
 ip address 10.10.10.10 255.255.255.0
 duplex full
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
PC1#

PC2:

PC2#sh runn
!
hostname PC2
!
interface FastEthernet0/0
 ip address 20.20.20.10 255.255.255.0
 duplex full
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 20.20.20.1
!
PC2#

Switch:

GNS3 SW config

FILE Download:
Download GNS3 lab from this article here.

 

Related Posts:

3 Comments

  1. Pamela Granier November 27, 2019

    Hi, I’m try to do your Lab but i don’t get the same result, i am doing the exercice in the Cisco Packet tracer, when i try to ping the devices, all the devices can communicate .

    Here my configuration on the router :
    Router(config)#interface gi0/0
    Router(config-if)#no shut

    Router(config-if)#
    %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up

    %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up

    %LINK-5-CHANGED: Interface GigabitEthernet0/0.10, changed state to up

    %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0.10, changed state to up

    Router(config-if)#interface gi0/0.10
    Router(config-subif)#encapsulation dot1q 10
    Router(config-subif)#ip address 192.168.10.254 255.255.255.0
    Router(config-subif)#exit
    Router(config)#interface gi0/0.20
    Router(config-subif)#
    %LINK-5-CHANGED: Interface GigabitEthernet0/0.20, changed state to up

    %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0.20, changed state to up
    encapsulation dot1q 20
    Router(config-subif)#ip address 192.168.20.254 255.255.255.0
    Router(config-subif)#ip access-group TEST in
    Router(config-subif)#exit
    Router(config)#ip access-list extended TEST

    Router(config-ext-nacl)#permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 established
    Router(config-ext-nacl)#permit icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 echo-reply
    Router(config-ext-nacl)#deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
    Router(config-ext-nacl)#permit ip any any
    Router(config-ext-nacl)#exit
    Router(config)#exit
    Router#
    %SYS-5-CONFIG_I: Configured from console by console
    sh access-list
    Extended IP access list TEST
    10 permit tcp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 established
    20 permit icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
    30 permit icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 echo-reply
    40 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
    50 permit ip any any

    Pinging 192.168.20.2 with 32 bytes of data:

    Reply from 192.168.20.2: bytes=32 time=1ms TTL=127
    Reply from 192.168.20.2: bytes=32 time<1ms TTL=127
    Reply from 192.168.20.2: bytes=32 time<1ms TTL=127
    Reply from 192.168.20.2: bytes=32 timeping 192.168.10.1

    Pinging 192.168.10.1 with 32 bytes of data:

    Reply from 192.168.10.1: bytes=32 time=1ms TTL=127
    Reply from 192.168.10.1: bytes=32 time=1ms TTL=127
    Reply from 192.168.10.1: bytes=32 time<1ms TTL=127
    Reply from 192.168.10.1: bytes=32 time=1ms TTL=127

    Is so complicate to find the solution I'm tried with another rows of ACL but this not work, can you help me please?, from France with love Pamela.

    Reply
  2. Pamela Granier November 27, 2019

    here I am again, it work yes!!!, i made a mistake in the row 20, I deleted this row and now is ok, thank u very much, I spent a lot of time to find the solution.
    Here my test ping between the devices of differents VLAN

    Pinging 192.168.20.2 with 32 bytes of data:

    Reply from 192.168.20.2: bytes=32 time=1ms TTL=127
    Reply from 192.168.20.2: bytes=32 time<1ms TTL=127
    Reply from 192.168.20.2: bytes=32 time<1ms TTL=127
    Reply from 192.168.20.2: bytes=32 time<1ms TTL=127

    Pinging 192.168.10.2 with 32 bytes of data:
    Reply from 192.168.20.254: Destination host unreachable.
    Reply from 192.168.20.254: Destination host unreachable.
    Reply from 192.168.20.254: Destination host unreachable.
    Reply from 192.168.20.254: Destination host unreachable.

    Reply
    • Valter Popeskic November 27, 2019

      Hi Pamela,
      Great to here that the issue was on your side 😉
      Having few little troubles like yours here just makes you learn things better .. Good luck with labs!

      Reply

Leave a Reply