By default, an access-list doesn’t keep track of the sessions. An access list consists of various permit and denies rules which are scanned from top to bottom. If any of the conditions match then it is executed and no other condition is matched.
For a very small office, a reflexive Access-list acts as a stateful firewall as it allows only the traffic that is initiated within the network and denies other packets coming from outside the network.
Reflexive Access-list –
Reflexive Access-list is an access-list that allows only the replies of the packets of the sessions initiated within the network (from the outside network).
When a session is initiated within the network and goes outside the network through the router (operating reflexive Access-list), reflexive Access-list are triggered. Therefore, it creates a temporary entry for the traffic which is initiated within the network and allows only those traffic from the outside network which is a part of the session (traffic generated within the network). This temporary entry is removed when the session ends.
characteristics of temporary entry –
- The entry specifies the same source and destination address as the original outbound packet (the packet going outside the network), except they are swapped when coming from outside the network.
- The entries should have the same source and destination port number as the original outbound packet, except they are swapped when coming from outside the network.
- The entry should have the same protocol as the original outbound packet.
Characteristics of Reflexive access-list –
- Reflexive Access-list should be nested inside the named Extended Access-list.
- It cannot be applied directly to an interface.
- A temporary entry is generated when a session begins and automatically destroyed when the session ends.
- It does not have implicit deny at the end of the Access-list.
- Just like a normal access list, if one of the conditions matches then no more entries are evaluated.
- Reflexive Access-list cannot be defined with numbered Access-list
- Reflexive Access-list cannot be defined with named or numbered standard Access-list.
There are 2 routers namely router1 (IP address – 10.1.1.1/24 on fa0/0 and 11. 1.1.1/24 on fa0/1), router2 (IP address-220.127.116.11/24 on fa0/0 and 18.104.22.168/24 on fa0/1) and PC1 (IP address-10.1.1.2/24) and PC2 (IP address-22.214.171.124/24). First, we will give routes, through EIGRP, to all the routers so that PCs will be able to ping each other.
Configuring Eigrp on router1:
router1(config)#router Eigrp 100 router1(config-router)#network 10.1.1.0 router1(config-router)#network 126.96.36.199 router1(config-router)#No auto-summary
Configuring Eigrp on router2:
router2(config)#router Eigrp 100 router2(config-router)#network 188.8.131.52 router2(config-router)#network 184.108.40.206 router2(config-router)#No auto-summary
Now, we will allow IP, TCP, and UDP traffic from inside the network (10.1.1.0 network) and evaluate the traffic coming from outside the network (220.127.116.11 and 18.104.22.168 network). Creating Access-list named as reflexive for the inside traffic going outside.
router1(config)#ip Access-list extended reflexive router1(config-ext-na)#permit ip any any reflect ip_database router1(config-ext-nacl)#permit tcp any any reflect tcp_database router1(config-ext-nacl)#permit udp any any reflect udp_database
Here, we have allowed IP, TCP, and UDP traffic and we have named it as ip_database, tcp_database, and udp_database.
Here, Reflexive is the name of the Access-list and not a keyword. Now, apply this Access-list to the outbound of int fa0/1 of router1 so that the traffic going out the router should be allowed.
router1(config)#int fa0/1 router1(config-if)#ip access-group reflexive out
Now, apply an access list for inbound traffic i.e traffic coming inside the network. We should allow only that traffic to come inside if it is initiated by the inside (10.1.1.0) network.
router1(config)#ip access-list extended reflexive_in router1(config-ext-nacl)#permit Eigrp any any router1(config-ext-nacl)#evaluate tcp_database router1(config-ext-nacl)#evaluate udp_database router1(config-ext-nacl)#evaluate ip_database
Here, we have allowed Eigrp traffic so that reachability should be there between the routers otherwise no traffic will be able to come back inside the ether network.
We have evaluated the udp_databse, ip_database, and tcp_database so that traffic (TCP, UDP, or IP) is allowed which has been initiated inside the network. Now, apply this to interface fa0/1 in the inside direction because the traffic coming inside should be evaluated.
router1(config)#int fa0/1 router1(config-if)#ip access-group reflexive_in in
Here, reflexive_in is the name of the Access-list.
Advantages – Advantages of reflexive Access-list are:
- Easy to implement.
- Provides greater control over the traffic coming from the outside network.
- Provides security from certain Dos attacks and spoofing.
- Some applications use dynamic ports due to which failure can occur as for the reflexive Access-list the source and destination ports should be static.