Using Access control list to achieve one-way network access

Jene flutter graph (all subnet masks are 255.255.255.0):

PC (10.1.1.2)---E0 (10.1.1.1) [Routera]s0 (192.1.1.1)---S1 (192.1.1.2) [Routerb]

Do a one-way access to the network in fact, the basic function of the firewall: I am intranet, you are extranet, I can access you, but you can not visit me.

So now assume that the Routera of the E0 network segment for the intranet segment, Routera S0 network field, but also assume that I want to do is the intranet PC function ping outside the routerb S1 mouth, but the routerb ping not into my intranet.

Using ACLs to implement similar one-way access control requires a special ACL, called reflexive ACL. The configuration of the reflexive ACL is divided into two parts, part of the outbound configuration, and part of the inbound configuration.

Before continuing with the following instructions, first say Han. When I first thought about one-way access, I (and some of my colleagues) naturally thought: that I would allow the traffic in the E0 mouth to come in, and then S0 on the mouth of the Routerb. It looks like there's nothing wrong with it, but I know it's not going to work. Why not, because a lot of people have overlooked such a problem: that the vast majority of network traffic has to go back, the above method only solves the problem, but this traffic in the arrival of Routerb, Routerb also need to return this traffic to the PC, This return flow to the Routera S0 mouth, but the above method is in the S0 mouth to prohibit the flow of routerb in, back to the traffic is blocked, communication failure.

OK, next cut it back. The part of the outbound in the reflexive ACL determines which network traffic is required to be one-way, and the inbound part decides that the traffic can be correctly identified and sent to the Intranet to initiate the connection of the PC.

Part of the outbound in the reflexive ACL:

IP Access-list Extended outbound_filter

Permit ICMP any any reflect icmp_traffic

Permit IP any

!---Note that only named ACLs can be used in reflexive ACLs, and numbered ACLs cannot be used.

!---basic configuration and normal ACLs are not much different, the difference is reflect icmp_traffic, which means this ACE is treated as one-way traffic and gives a name called Icmp_traffic,icmp_ Traffic is referenced in the inbound section.

!---permit IP Any is not necessary, added here for another test, as described below.

Part of the inbound in the reflexive ACL:

IP Access-list Extended inbound_filter

Evaluate icmp_traffic

Deny IP any any log

The configuration of the!---inbound is somewhat different from the normal ACL, and the first sentence evaluate icmp_traffic references the icmp_traffic in the outbound configuration mentioned above, that is, it checks the traffic coming in from the extranet, If this traffic is indeed originating from the intranet for outbound traffic, then allow this traffic to come in.