Learning from the reflection ACL

Remote logon is configured on the Internet and Intranet routers. To ensure network security, the Internet cannot access the Intranet, but the Intranet can access the Internet. R1 cannot telnet or pingR3, but R3 can access R1:

The configuration is as follows:

En

Conf t

Hostname R1

Int f0/0

Ip add 12.1.1.1 255.255.255.0

No shutdown

Ip route 0.0.0.0 0.0.0.0 12.1.1.2

Line vty 0 4

Password 123

Login

Exit

Enable password 123

T

En

Conf t

Int f0/0

Ip add 12.1.1.2 255.255.255.0

No shu

Int e1/0

Ip add 23.1.1.2 255.255.255.0

No shu

Exit

Ip access-list extended out-acl (enable extended named ACL name is out-acl. cisco IOS only supports extended named ACL to define the reflection list)

Permit ip any reflect out -- ip

(Allow all IP traffic and reflect outbound IP traffic. Create a temporary list named out-ip)

Exit

Ip access-list extended in-acl (the name of the extended name ACL created in the Inbound direction of port F0/0 is in-acl)

Evaluate out-ip (the evaluation reflection list is actually calling the temporary list out-ip created earlier)

Enable the Port:

Int f0/0

Ip access-group out-acl out

Ip access-group in-acl in

(Evaluate when data packets go out for reflection)

The configuration on R3 is similar to that on R1.

En

Conf t

Hos R3

Int e1/0

Ip add 23.1.1.3 255.255.255.0

No shu

Exit

Ip route 0.0.0.0 0.0.0.0 23.1.1.2

Test the configuration.

R3 ping R1 can ping


R3 can telnet R1


However, R1 cannot ping R3.


The experiment meets the requirements.

However, let's think about why R3 can access R1, but R1 cannot access R3. What is the principle?

Because in the real network environment, after the reflection ACL is implemented, when the internal network initiates a session (based on ip address. icmp tcp udp and so on). When a packet is sent to the Internet, the reflection ACL is triggered and a temporary entry is generated. If the data stream returned from the external network meets the temporary entry, it is allowed to enter the internal network. Otherwise, it is prohibited to enter the temporary network. The reflection ACL actually plays a role in the firewall. It only checks the ACK and RST bits in the data packet, and also checks the Source and Destination addresses and port numbers, which can effectively prevent spoofing and some DOS attacks.

Show access-list on R2.

It means that the entry will be deleted after 283 s, and the entry will be generated temporarily next time you access it.