This example is using R4, R5 and R6 in a string. R4 will represent a host. R5 my access router that is connected to R6 which represents the internet.
Relevant Config:
R4
hostname R4
interface FastEthernet0/0
description R5 Fa0/0
ip address 192.168.101.4 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.101.5
R5
hostname R5
interface FastEthernet0/1
description R4 Fa0/0
ip address 192.168.101.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/0
description R6 Fa0/1
ip address 192.168.156.5 255.255.255.0
ip access-group FromOutside in
ip access-group FromInside out
duplex auto
speed auto
!
ip access-list extended FromInside
permit tcp any eq bgp any
permit tcp any any eq bgp
permit ip any any reflect InsideOut timeout 30
ip access-list extended FromOutside
permit tcp any eq bgp any
permit tcp any any eq bgp
evaluate InsideOut
deny ip any any log
R6 and the associated BGP configuration is unimportant for this example and not shown.
If we look at the access-list FromInside which on R5 is an outbound ACL facing R6 - we are implicitly allowing BGP through and any outgoing traffic will be "reflected" that is the source/destination IP address and ports of the conversation will be stored in "InsideOut"
The access-list FromOutside which is on R5 an inbound ACL facing R6 - we are implicitly allowing BGP through and any other traffic will be evaluated against the "InsideOut" reflexive ACL will be allowed in.
So lets check the ACLs are present
R5#sh ip access-list
Extended IP access list FromInside
10 permit tcp any eq bgp any
20 permit tcp any any eq bgp
30 permit ip any any reflect InsideOut
Extended IP access list FromOutside
10 permit tcp any eq bgp any
20 permit tcp any any eq bgp (1 match)
30 evaluate InsideOut
40 deny ip any any log
Reflexive IP access list InsideOut
Yes, lets check that unsolicited traffic cant get in
R6#ping 192.168.101.4 source 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.4, timeout is 2 seconds:
Packet sent with a source address of 6.6.6.6
U.U.U
Success rate is 0 percent (0/5)
It appears to be being blocked as we wanted:
R5#
*Mar 1 01:31:25.715: %SEC-6-IPACCESSLOGDP: list FromOutside denied icmp 6.6.6.6 -> 192.168.101.4 (8/0), 1 packet
R5#sh ip access-list
Extended IP access list FromInside
10 permit tcp any eq bgp any
20 permit tcp any any eq bgp
30 permit ip any any reflect InsideOut
Extended IP access list FromOutside
10 permit tcp any eq bgp any
20 permit tcp any any eq bgp (2 matches)
30 evaluate InsideOut
40 deny ip any any log (5 matches)
Reflexive IP access list InsideOut
Ok, so R4 is protected, lets try having R4 ping R6:
R4>ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/11/20 ms
Yep, that looks good - we got return traffic from 6.6.6.6, which didn't work last time - can we see the dynamic entry that was created?
R5#sh ip access-list
Extended IP access list FromInside
10 permit tcp any eq bgp any
20 permit tcp any any eq bgp
30 permit ip any any reflect InsideOut (14 matches)
Extended IP access list FromOutside
10 permit tcp any eq bgp any
20 permit tcp any any eq bgp (4 matches)
30 evaluate InsideOut
40 deny ip any any log (5 matches)
Reflexive IP access list InsideOut
permit icmp host 6.6.6.6 host 192.168.101.4 (10 matches) (time left 26)
Yes, and this would disappear after the time out finishes. For a state based conversation (e.g TCP) the timeout will automatically shrink to a few seconds once a FIN/FIN-ACK sequence has started to reduce the chance of something jumping in on a closed conversation and getting into your protected zone
No comments:
Post a Comment