Use the access control list to implement one-way network access

All subnet masks in the simple topology are 255.255.255.0 ):
PC (10.1.1.2) --- E0 (10.1.1.1) [router] S0 (192.1.1.1) --- S1 (192.1.1.2) [RouterB]

One-way access to the network actually implements the basic functions of the firewall: I am an intranet, you are an Internet, I can access you, but you cannot access me.
Therefore, assume that the CIDR Block of the routeport E0 is an intranet segment, and that of the routes0 is an Internet segment, if I want to ping the S1 port of Internet RouterB on an intranet PC, but the ping from RouterB cannot go to my Intranet.

To use ACL to implement similar one-way access control, you need to use a special ACL called Reflexive ACL. The Reflexive ACL Configuration is divided into two parts: outbound configuration and inbound configuration.

Before proceeding to the following instructions, let's talk about the problem first. When I first thought of a one-way access problem, I also included some other colleagues. Naturally, I thought like this: I allowed the PC traffic to come in on the E0 port, and then disable RouterB's traffic on S0? It seems that there is no problem, but it will not work after a try. Why not? Many people ignore this problem: that is, the vast majority of network traffic goes back, and the above method only solves the problem, however, after the traffic reaches RouterB, RouterB still needs to return the traffic to the PC. The returned traffic goes to the S0 port of RouterB, however, the above method disables RouterB traffic on the S0 port. The returned traffic is blocked and communication fails.

The outbound section in the Reflexive ACL determines which Intranet traffic I need to access in one way, the inbound part determines that the traffic can be correctly identified after the return and sent to the PC that initiates the connection through the Intranet.

Outbound in Reflexive ACL:
Ip access-list extended outbound_filter
Permit icmp any reflect icmp_traffic
Permit ip any
! --- Note that only the named ACL can be used in the Reflexive ACL, And the numbered ACL cannot be used.
! --- The basic configuration is not much different from the common ACL. The difference is that reflect icmp_traffic, which means that this ACE is processed as one-way traffic and is named icmp_traffic, icmp_traffic is referenced in inbound.
! --- Permit ip any is not necessary. It is added here for another test, which will be explained below.

Inbound in Reflexive ACL:
Ip access-list extended inbound_filter
Evaluate icmp_traffic
Deny ip any log
! --- The configuration of inbound is a little different from that of normal ACL. In the first sentence, evaluate icmp_traffic references icmp_traffic In the outbound configuration, that is, it checks incoming traffic from the Internet, if the traffic is actually the response traffic for external access initiated from the Intranet, this traffic is allowed.
! --- Note that deny ip any log does not need to be configured, because it is the default deny ip any, however, I added the log to test the permit ip any in the outbound section above.

The parts applied to the interface in the Reflexive ACL:
Interface Serial0
Ip address 192.1.1.1 255.255.255.0
Ip access-group inbound_filter in
Ip access-group outbound_filter out
! --- There are some special points here. The ACL outbound_filter is applied to the out direction of the Internet port, and the ACL inbound_filter is applied to the in direction of the Internet port, so the in and out cannot be mixed.

Okay. Now we are testing. We can ping 192.1.1.2 on 10.1.1.2, but the ping on RouterB fails on 10.1.1.2.
Now I have another question: how does a vro allow incoming traffic from the Intranet, since it has deny all incoming traffic from the Internet?
It allows traffic to be returned by creating dynamically generated ACLs. Let's take a look at the results of show access-list:

......
Reflexive IP access list icmp_traffic
Permit icmp host 192.1.1.2 host 10.1.1.2 (24 matches) (time left 196)
......

These dynamic ACLs can be dynamically and automatically eliminated through tcp fin/RST packages. For stateless packages such as ICMP, they are eliminated through built-in timer, this can be verified through (time left 196) in the show access-list result above.

Finally, let's talk about the other test, that is, the extra stuff in the two ACLs:

Ip access-list extended outbound_filter
Permit ip any

Ip access-list extended inbound_filter
Deny ip any log

I initiate a TELNET connection to 192.1.1.2 on 10.1.1.2. The traffic reaches the S0 port and is checked by the permit ip any in the ACL outbound_filter. After RouterB is reached, RouterB processes the traffic and returns the traffic. After the traffic reaches the S0 port, inbound_filter detects the traffic because the evaluate icmp_traffic does not contain TCP traffic detection, this package is discarded and generated after being processed by the deny ip any log statement:

00: 24: 28: % SEC-6-IPACCESSLOGP: list inbound_filter denied tcp 192.1.1.2 (23)-> 10.1.1.2 (1483), 1 packet(