CCNA Security – Chapter 4 (Reflexive ACL, Established Keyword)

The basic idea is that all traffic from the outside should be blocked from entering the inside unless it is explicitly permitted by an ACL, or if it is returning traffic initiated from the inside of the network.
!
Introduced in 1995, the TCP established keyword for extended IP ACLs enabled a primitive network firewall to be created on a Cisco router. It blocked all traffic coming from the Internet except for the TCP reply traffic associated with established TCP traffic initiated from the inside of the network.
!
The established keyword forces the router to check whether the TCP ACK or RST control flag is set. If the ACK flag is set, the TCP traffic is allowed in.
!
The established option does not apply to UDP or ICMP traffic, because UDP and ICMP traffic does not rely on any control flags as used with TCP traffic.
!
!
!
Reflexive ACLs were introduced to Cisco IOS in 1996, about a year after the TCP established option became available.
!
The biggest limitation of standard and extended ACLs is that they are designed to filter unidirectional rather than bidirectional connections.
!
Reflexive ACLs allow an administrator to perform actual session filtering for any type of IP traffic.
The ACL can be applied inbound on an internal interface or outbound on the external interface.
!
R1(config)# ip access-list extended internal_ACL
R1(config-ext-nacl)# permit tcp any any eq 80 reflect web-only-reflexive-ACL
R1(config-ext-nacl)# permit udp any any eq 53 reflect dns-only-reflexive-ACL timeout 10
!
R1(config)# ip access-list extended external_ACL
R1(config-ext-nacl)#evaluate web-only-reflexive-ACL
R1(config-ext-nacl)#evaluate dns-only-reflexive-ACL
R1(config-ext-nacl)#deny ip any any
!
R1(config)# interface s0/0/0
R1(config-if)# description connection to the ISP.
R1(config-if)# ip access-group internal_ACL out
R1(config-if)# ip access-group external_ACL in
!
!
This temporary opening is only active for as long as the session is open. These dynamic ACL entries are not saved to NVRAM.
!

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s