line aux 0 line vty 0 4

session−timeout 30 exec−timeout 30 0 login local

Configuring Reflexive Access Lists

To define a reflexive access list, you must create an entry in an extended named IP access list. This entry must use the reflect keyword and is nested inside of another access list. To define reflexive access lists, follow these steps:

1. Use this command to define an extended named access list:

ip access−list extended name

If the reflexive access list is configured for an external interface, the extended named IP access list should be one that is applied to outbound traffic, and if the reflexive access list is configured for an internal interface, the extended named IP access list should be one that is applied to inbound traffic. This command moves you into access list configuration mode.

2.In access list configuration mode, use this configuration command to define the reflexive access list:

permit protocol any any reflect name <timeout timeout−seconds>

The protocol parameter should be specified for each upper−layer protocol that should be permitted.

3.Use the IP access−list extended name command to define another extended named access list. The name of this access list must be different from the name that was used to create the access list in Step 1. If the access list that was created in Step 1 was for inbound packets, then the access list that is created during this step is created for outbound packets. This command moves you into access list configuration mode.

4.Use permit statements to permit any traffic that should not be subjected to the reflexive access list, and then use the evaluate name command to create an entry that references the reflect statement that was created in Step 2. The name parameter defined in this step should match the name parameter that was created in Step 2 with the reflectname parameter.

5.Apply the extended named IP access list to the interface, using this command:

ip access−group name {in | out}

When previous access lists were configured, this command was somewhat simple, but when applying reflexive access lists, each in or out option must be used. This will be further explained in the following paragraphs.

6.Optionally, use this command to change the default idle timeout for each temporary access list entry (the default idle timeout period is 300 seconds):

ip reflexive−list timeout seconds

A brief discussion is needed in order to provide clarity to the preceding configuration steps. Reflexive access lists are normally configured on external interfaces, which will prevent IP traffic from entering the router and the internal network unless the traffic is part of a session already established from within the internal network. If the reflexive access list is not configured on the

260

external interface and more than two interfaces are in use, then more than likely it will be configured on the internal interface, which prevents IP traffic from entering your internal network unless the traffic is part of a session already established from within the internal network.

If reflexive access lists are being configured and applied to an external interface, the extended named IP access list should be applied to outbound traffic. If reflexive access lists are being configured and applied to an internal interface, the extended named IP access list should be applied to inbound traffic. After the reflexive access list has been defined (Step 1), the access list must be "nested" within the second access list that is created in Step 4. If reflexive access lists are being configured and applied to an external interface, nest the reflexive access list within an extended named IP access list applied to inbound traffic. If reflexive access lists are being configured and applied to an internal interface, nest the reflexive access list within an extended named IP access list applied to outbound traffic.

Figure 7.9 displays a network in which reflexive access lists may be used. In this example, reflexive access lists are configured on the Ethernet0/0 interface of Router 2 for outbound traffic that is originated from the internal networks. The reflexive access list configuration of Router 2 is shown in Listing 7.25.

Figure 7.9: Reflexive access list network.

Listing 7.25: Reflexive access list configuration of Router 2.

hostname Router−2

!

ip reflexive−list timeout 100

!

interface Ethernet1/1

ip address 192.168.20.1 255.255.255.0 no ip directed−broadcast

!

interface Ethernet1/0

ip address 192.168.30.1 255.255.255.0 no ip directed−broadcast

!

interface Ethernet0/0

ip address 192.168.10.1 255.255.255.0 ip access−group in−filter in

ip access−group out−filter out no ip directed−broadcast

!

ip classless

ip route 192.168.40.0 255.255.255.0 192.168.10.2 ip route 192.168.50.0 255.255.255.0 192.168.10.2

!

!

ip access−list extended out−filter permit icmp any any

261

evaluate protect

ip access−list extended in−filter permit icmp any any

permit tcp any any reflect protect permit udp any any reflect protect

!

The configuration in Listing 7.26 defines two access lists and each is applied to the Ethernet0/0 interface. The reflexive access list has been named "protect," and before there is any packet movement through the router, you can view the access list by using the show IP access−lists command. Using this command on Router 2 prior to any packet movement through the router displays the output listed in Listing 7.27.

Listing 7.26: Display of the access lists defined on Router 2.

Router−2#show access−lists

Extended ip access list out−filter permit icmp any any (40008 matches) permit tcp any any reflect protect permit udp any any reflect protect

Extended ip access list in−filter permit icmp any any

evaluate protect Router−2#

Notice that no information regarding the reflexive access list is displayed in the output in Listing 7.27; no traffic has triggered the access list yet. There is, however, ping traffic moving through the router, but ping traffic is not subjected to the reflexive access list filters. To trigger the reflexive access list, initiate a Telnet session from Router 2 to Router 1. After the Telnet session has started, you can issue the show access−lists command again to view the reflexive access list. Issuing the command on Router 2 displays the output in Listing 7.28.

Listing 7.27: Displaying the reflexive access list on Router 2.

Router−2#sh access−lists

Extended ip access list out−filter permit icmp any any (70006 matches) permit tcp any any reflect protect permit udp any any reflect protect

!

Extended ip access list in−filter permit icmp any any

evaluate protect

!

Reflexive ip access list protect

permit tcp host 192.168.20.1 eq 11003 host 192.168.50.1 eq telnet −

(49 matches) (time left 95)

permit tcp host 192.168.30.1 eq 11002 host 192.168.40.1 − eq telnet −

(49 matches) (time left 62)

permit tcp host 192.168.30.2 eq 11001 host 192.168.40.1 − eq telnet −

(69 matches) (time left 18) Router−2#

262

The configuration that has been examined in this section so far has been for reflexive access lists on an internal interface basis. Configuring reflexive access lists on an external interface basis is just the opposite of the configuration in Listing 7.26. Figure 7.10 displays a network in Router 2 should be configured for a reflexive access list that should be placed on an external interface. Listing 7.28 displays Router 2's configuration.

Figure 7.10: External reflexive access list.

Listing 7.28: External reflexive access list on Router 2.

hostname Router−2

!

ip reflexive−list timeout 100

!

interface Ethernet1

ip address 192.168.20.1 255.255.255.0 no ip directed−broadcast

!

interface Serial0

ip address 192.168.10.1 255.255.255.0 ip access−group in−filter in

ip access−group out−filter out no ip directed−broadcast

!

ip classless

ip route 0.0.0.0 0.0.0.0 serial0

!

ip access−list extended in−filter permit icmp any any

evaluate protect

ip access−list extended out−filter permit icmp any any

permit tcp any any reflect protect permit udp any any reflect protect

!

Configuring Time−Based Access Lists

To configure time−based access lists, perform the following steps:

1.Use the time−range name command to define the name of the timed access list. Issuing this command moves you into time−range configuration mode.

2.Use either of the following commands to specify when the timed access list should be in effect:

absolute <start time date> <end time date>

periodic <days−of−the−week> hh:mm to <days−of−the−week> hh:mm

When using the periodic parameter, you may define multiple ranges. When using the absolute parameter, only one range may be defined. The day(s)−of−the−week parameter can be specified as any day of the week or a combination of days using the Monday,

263

Tuesday, Wednesday, Thursday, Friday, Saturday, or Sunday keyword. There are also three other options that may be used: The daily keyword represents Monday through Sunday. The weekend keyword specifies Saturday and Sunday, and the weekday keyword specifies Monday through Friday.

3.Define an extended numbered access list as described earlier using the command and bind the time range to the access list:

access−list <access−list−number> <deny | permit> protocol − <source source−wildcard> <destination destination−wildcard>− <precedence precedence−value> <tos tos−value> −

<log | log−input>

4. Use this command to apply the access list to the interface:

ip access−group <access−list−number> <in | out>

In the first example, I will configure time−based access lists using only periodic statements with extended numbered access lists. In this configuration, I would like to permit FTP traffic only on the weekdays from 7:00 A.M. to 6:00 P.M., deny all HTTP traffic on the weekend, permit TFTP traffic only on the weekend from noon to 8:00 P.M., and permit Telnet traffic only on Saturday from noon to 8:00 P.M. Listing 7.29 displays the configuration needed to meet these requirements.

Listing 7.29: Timed access list using numbered access list.

time−range permit−ftp

periodic weekdays 07:00 to 18:00

!

time−range deny−http

periodic weekend 00:00 to 23:59

!

time−range permit−tftp periodic weekend 12:00 to 20:00

!

time−range permit−telnet periodic saturday 12:00 to 20:00

!

access−list 120 permit tcp any any eq 21 time−range permit−ftp access−list 120 deny tcp any any eq 80 time−range deny−http access−list 120 permit udp any any eq 69 time−range permit−tftp access−list 120 permit tcp any any eq 23 time−range − permit−telnet

!

interface fast0/0

ip access−group 120 in

To monitor the access list, issue the show access−lists command. This will display results that tell you whether the access list is active or inactive. An active state means the access list is currently in use, and an inactive state means the access list is currently not in use. Here are the results of issuing this command to monitor the access list configured in Listing 7.30:

ACL−Router#sh access−lists

Extended ip access list 120

permit tcp any any eq 21 time−range permit−ftp (inactive) deny tcp any any eq 80 time−range deny−http (inactive) permit udp any any eq 69 time−range permit−tftp (inactive) permit tcp any any eq 23 time−range permit−telnet (inactive)

ACL−Router#

264

Time−based access lists can also be configured using the absolute argument with extended numbered access lists or with extended named access lists. The next example shows how to configure a time−based access list using the absolute argument and binding the time range to an extended named access list. This access list should deny HTTP traffic during a preplanned Web−server outage within the year, and it should permit FTP traffic to a different server for the entire year of 2004. It should also permit TFTP traffic from the time the access list applied until the 11th of February 2004 and permit Telnet traffic until the end of the year 2004. Listing 7.30 displays the configuration needed to meet these requirements.

Listing 7.30: Timed access list using named access list.

time−range permit−ftp

absolute start 06:00 1 January 2004 end 23:59 31 December 2004

!

time−range deny−http

absolute start 00:00 24 November 2004 end 06:00 26 November 2004

!

time−range permit−tftp

absolute end 17:50 11 February 2004

!

time−range permit−telnet

absolute end 23:59 31 December 2004

!

ip access−list extended absolute−list

permit tcp any host 192.168.10.234 eq 21 time−range permit−ftp deny tcp any host 192.168.10.233 eq 80 time−range deny−http permit udp any any eq 69 time−range permit−tftp

permit tcp any any eq 23 time−range permit−telnet

!

interface fast0/0

ip access−group absolute−list in

As with the numbered access list, you can monitor the time−based named access list by issuing the show access−lists command. This will display results that tell you whether the access list is active or inactive. An active state means the access list is currently in use, and an inactive state means the access list is currently not in use. Here are the results of issuing this command to monitor the access list defined in Listing 7.30 :

ACL−Router#show access−lists

.....

Extended ip access list absolute−list

deny tcp any host 192.168.10.233 eq 80 time−range − deny−http (inactive)

permit udp any any eq 69 time−range permit−tftp (active) permit tcp any any eq 23 time−range permit−telnet (active) permit tcp any host 192.168.10.234 eq 21 time−range − permit−ftp (inactive)

ACL−Router#

Note Because of the format limitations of this book, some lines of code listed above have been broken with a hyphen.

265