Some of my readers commented on my old article about reflexive access-list with issues in the configuration. I tried it in the lab again to be sure I didn’t make any mistake in the configuration example and here I’m sharing the lab and the config used.
About Reflexive Access Lists
Extended ACLs are a special kind of extended access-lists that have limited stateful behaviour technique implemented for TCP sessions. It is better to say that reflexive access-list is simulating stateful behaviour because it, by use of ‘established’ command, is allowing TCP packets that have the ‘ACK’ bit set but not the initial ‘SYN-only’ packet. In this way, we are effectively permitting only the packets that are part of an established session.
In my prior article, I showed how this works by enabling PING from PC1 in VLAN 10 to PC2 in VLAN 20 but not the other way.
I created the lab topology in GNS3:
I used standard Cisco router image to simulate R1 and PC1 and PC2 I only changed the icon on PC1 and PC2. Full configs are at the bottom. I configured the router-on-the-stick making the simplest topology with trunk between the switch and the R1 and two VLANs on the SWITCH. Switch config is also at the bottom.
Access-list is configured like this:
ip access-list extended TEST permit tcp 220.127.116.11 0.0.0.255 10.10.10.0 0.0.0.255 established permit icmp 18.104.22.168 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply deny ip 22.214.171.124 0.0.0.255 10.10.10.0 0.0.0.255 permit ip any any !
And applied inbound on the subinterface of VLAN20:
interface FastEthernet0/0.20 encapsulation dot1Q 20 ip address 126.96.36.199 255.255.255.0 ip access-group TEST in !
This reflexive access-list is allowing traffic back from VLAN20 (188.8.131.52/24) to VLAN10 (10.10.10.0/24) only if the traffic was firstly initiated from VLAN10. In this way, only PING initiated at PC1 (10.10.10.10) towards PC2 (184.108.40.206) will succeed but PING from 220.127.116.11 to 10.10.10.10 will give you IP address unreachable:
PC1#ping 18.104.22.168 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.214.171.124, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/32 ms PC1#
PC2#ping 10.10.10.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5) PC2#
So, it seems that the lab is showing I did it on my first try few years ago. I hope this lab with complete configuration will help my readers that reached back to me, to find where they went wrong. Of course, if you need more help, just leave a comment and I will try to help 🙂
You can also download GNS3 lab project here to get started with working thing from the start. I made this in GNS3 version 2.0
R1#sh runn ! hostname R1 ! interface FastEthernet0/0 no ip address no sh duplex full ! interface FastEthernet0/0.10 encapsulation dot1Q 10 ip address 10.10.10.1 255.255.255.0 ! interface FastEthernet0/0.20 encapsulation dot1Q 20 ip address 126.96.36.199 255.255.255.0 ip access-group TEST in ! ip access-list extended TEST permit tcp 188.8.131.52 0.0.0.255 10.10.10.0 0.0.0.255 established permit icmp 184.108.40.206 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply deny ip 220.127.116.11 0.0.0.255 10.10.10.0 0.0.0.255 permit ip any any ! R1#
PC1#sh runn ! hostname PC1 ! interface FastEthernet0/0 ip address 10.10.10.10 255.255.255.0 duplex full ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.10.10.1 ! PC1#
PC2#sh runn ! hostname PC2 ! interface FastEthernet0/0 ip address 18.104.22.168 255.255.255.0 duplex full ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 22.214.171.124 ! PC2#