Reflexive ACL Examples

Now that you have a basic understanding of the configuration of RACLs, this section shows you some examples that illustrate how to set up RACLs on a router. The following sections contain three examples of the use of RACLs.

Simple RACL Example

In this example (see Figure 8-7), all traffic that originates on the Internet should not be allowed. However, all TCP and UDP returning traffic from the Internet to the internal users should be allowed. Example 8-11 shows a simple RACL example.

Example 8-11. Simple RACL Example


Router(config)# ip access-list extended internal_ACL

Router(config-ext-nacl)# permit tcp any any reflect tcpstuff_RACL

Router(config-ext-nacl)# permit udp any any reflect udpstuff_RACL timeout 60

Router(config-ext-nacl)# exit

Router(config)# ip access-list extended external_ACL

Router(config-ext-nacl)# evaluate tcpstuff_RACL

Router(config-ext-nacl)# evaluate udpstuff_RACL

Router(config-ext-nacl)# deny ip any any

Router(config-ext-nacl)# exit

Router(config)#  interface ethernet1

Router(config-if)# description  This connects to the Internet

Router(config-if)# ip access-group internal_ACL out

Router(config-if)# ip access-group external_ACL in

In Example 8-11, the first extended ACL built, internal_ACL, looks for TCP and UDP sessions and puts these sessions into two RACLs: tcpstuff_RACL and udpstuff_RACL, respectively. This extended ACL is applied outbound on the external interface. The second extended ACL, external_ACL, evaluates traffic coming back in by using the two RACLs; all other traffic is dropped. Remember that placement of the evaluate statements is important. In this example, they are placed before the deny ip any any statement.

Note that you easily could have placed both TCP and UDP sessions in the same RACL; however, as I pointed out earlier in this chapter, I prefer to separate the traffic, to make troubleshooting easier. By breaking the sessions into separate RACLs, it is easier to view it with the show access-lists command (actually, you can view just a specific RACL's entries by using the name of the RACL with this command).

Two-Interface RACL Example

In the "Two-Interface Example" section earlier in this chapter, I discussed an example of ACL placement and operation using Figure 8-7. In this example, I show you the actual configuration of this router with ACLs and RACLs.

Review the access policies discussed in the "Two-Interface Example" section. Example 8-12 shows the configuration to enforce these policies.

Example 8-12. Two-Interface Configuration Example


Router(config)# ip access-list extended internal_ACL

Router(config-ext-nacl)# permit tcp any any reflect tcp_RACL

Router(config-ext-nacl)# permit udp any any reflect udp_RACL timeout 30

Router(config-ext-nacl)# permit icmp any any reflect icmp_RACL timeout 10

Router(config-ext-nacl)# exit

Router(config)# ip access-list extended external_ACL

Router(config-ext-nacl)# evaluate tcp_RACL

Router(config-ext-nacl)# evaluate udp_RACL

Router(config-ext-nacl)# evaluate icmp_RACL

Router(config-ext-nacl)# permit tcp any host 192.1.1.1 eq 25

Router(config-ext-nacl)# deny ip any any

Router(config-ext-nacl)# exit

Router(config)#  interface ethernet1

Router(config-if)# ip access-group internal_ACL out

Router(config-if)# ip access-group external_ACL in

Example 8-12 is very similar to Example 8-11. However, there are two minor differences. First, a temporary RACL is used to allow returning ICMP traffic into the network, where the timeout for this traffic has been reduced from 300 to 30 seconds. Second, external users are allowed access to the internal e-mail server.

Three-Interface RACL Example

In the "Three-Interface Example" section earlier in this chapter, I discussed an example of ACL placement and operation using Figure 8-8. In this example, I show you the actual configuration of this router with ACLs and RACLs. This example is more complex than the previous two.

Review the access policies discussed in the "Three-Interface Example" section. Example 8-13 shows the configuration to enforce these policies. The numbering on the right refers to the numbered explanation that follows Example 8-13.

Example 8-13. Three-Interface Configuration Example


Router(config)# ip access-list extended internal_ACL

Router(config-ext-nacl)# permit tcp host 192.1.1.1                (1)

  host 192.1.2.1 eq 25 reflect DMZ_RACL

Router(config-ext-nacl)# deny tcp any any eq 25                   (2)

Router(config-ext-nacl)# deny ip host 192.1.1.1 any               (3)

Router(config-ext-nacl)# permit ip any 192.1.2.0 0.0.0.255        (4)

  reflect DMZ_RACL

Router(config-ext-nacl)# permit ip any any                        (5)

Router(config-ext-nacl)# exit

Router(config)# ip access-list extended DMZ_ACL

Router(config-ext-nacl)# permit tcp host 192.1.2.1                (6)

  host 192.1.1.1 eq 25

Router(config-ext-nacl)# evaluate DMZ_RACL                        (7)

Router(config-ext-nacl)# evaluate Internal_returns_RACL           (8)

Router(config-ext-nacl)# exit

Router(config)# ip access-list exit_ACL

Router(config-ext-nacl)# permit tcp host 192.1.2.1 any eq 25      (9)

  reflect DMZ_returns_RACL

Router(config-ext-nacl)# permit udp host 192.1.2.2 any eq 53     (10)

  reflect DMZ_returns_RACL

Router(config-ext-nacl)# permit ip 192.1.1.0 0.0.0.255 any       (11)

  reflect Internal_returns_RACL

Router(config-ext-nacl)# permit tcp host 192.1.2.1 eq 25 any     (12)

Router(config-ext-nacl)# permit udp host 192.1.2.2 eq 53 any

Router(config-ext-nacl)# permit tcp host 192.1.2.3 eq 80 any

Router(config-ext-nacl)# exit

Router(config)# ip access-list extended external_ACL

Router(config-ext-nacl)# permit tcp any host 192.1.2.1 eq 25     (13)

Router(config-ext-nacl)# permit udp any host 192.1.2.2 eq 53

Router(config-ext-nacl)# permit tcp any host 192.1.2.3 eq 80

Router(config-ext-nacl)# evaluate DMZ_returns_RACL               (14)

Router(config-ext-nacl)# evaluate Internal_returns_RACL

Router(config-ext-nacl)# exit

Router(config)# interface ethernet0                              (15)

Router(config-if)# description  Internal Network

Router(config-if)# ip access-group internal_ACL in

Router(config-if)# ip access-group DMZ_ACL out

Router(config-if)# exit

Router(config)# interface ethernet2

Router(config-if)# description  DMZ

Router(config-if)# exit

Router(config)# interface etherent1

Router(config-if)# description  Internet

Router(config-if)# ip access-group exit_ACL out                  (16)

Router(config-if)# ip access-group external_ACL in

Router(config-if)# exit

Router(config)# ip reflexive-list timeout 120                    (17)

The following is an explanation of the listing in Example 8-13. The numbers refer to the numbers that appear on the right side of Example 8-13:

This ACL is used to restrict traffic from leaving the internal segment. The first statement allows e-mail to be sent to the DMZ e-mail server, and allows the return of traffic through the DMZ_RACL.
This statement denies any internal machine from sending e-mail directly to the DMZ e-mail server?or any other e-mail server, for that matter.
This statement denies the internal e-mail server access to any other DMZ or external device.
This statement builds a RACL for traffic flowing from the internal segment to the DMZ. These temporary entries are placed in the DMZ_RACL along with the internal e-mail server's connection to the DMZ's e-mail server. For better security, you might want to break up this single ACL statement into multiple ones, based on protocol, and assign different timeout values for the protocols.
This statement allows all other traffic to the Internet from the internal segment.
The second named ACL is used to restrict traffic coming from the DMZ and Internet segments to the internal segment. The first statement allows the DMZ e-mail server to forward e-mail to the internal e-mail server.
The reference to DMZ_RACL allows the traffic that internal devices sent to the DMZ to return to them.
The reference to Internal_returns_RACL allows the traffic that internal devices sent to the Internet to return to them. (See Reference 11 in the Example 8-13).
This third ACL is to restrict traffic leaving the network. The first statement allows traffic originated by the DMZ e-mail server to be returned to it (DMZ_returns_RACL).
This statement allows DNS queries sent by the DMZ DNS server to the Internet to be returned to it (DMZ_returns_RACL).
This statement allows traffic sent by the internal users to be returned to them (Internal_returns_RACL).
The next three statements allow the responses of the DMZ servers to be forwarded to the Internet users.
This fourth named ACL is used to filter Internet traffic coming into this network. The first three statements allow the Internet to access the e-mail, DNS, and web servers.
The references to DMZ_returns_RACL and Internal_returns_RACL allow the traffic that internal devices sent to the Internet to return to them, as well as allows the traffic that the DMZ devices originate to be returned from the Internet. One interesting point to make about Internal_returns_RACL is that it is referenced in two named ACLs. This is necessary to allow the returning Internet traffic to flow through both the external ACL (applied inbound on E1) and the DMZ ACL (applied outbound on E0).
Ethernet0 is connected to the internal segment. It has two ACLs activated on it. internal_ACL is used to restrict traffic leaving this segment, as well as to build RACLs to allow returning traffic to it. DMZ_returns_RACL allows returning traffic from the DMZ to the internal segment. Ethernet2 is connected to the DMZ segment. Notice that no ACL is applied here; all policies are enforced by the two ACLs on the internal interface and the ACL on the external interface.
Ethernet1 is connected to the Internet. It has an ACL applied to it inbound (external_ACL) that restricts traffic into the DMZ and allows returning traffic to the internal users. It also has an ACL applied outbound (exit_ACL) that creates RACL entries and allows Internet queries to be forwarded from the DMZ segment.
The last statement in this configuration sets the timeout for all idle connections to 120 seconds. After 120 seconds, an idle connection is removed from the RACL.

TIP

One thing that I definitely recommend monitoring in this configuration is the RACL timeout and the amount of memory that these temporary entries require. If idle entries are causing memory problems, set up separate RACLs for HTTP, ICMP, and DNS query connections, setting the idle timeout for these to 60 seconds or less.

As you can see from this example, setting up a three-interface perimeter router firewall is not an easy task?and this was a very basic configuration. On top of this configuration, you also need to apply the other filtering recommendations discussed in Chapter 7, to provide further protection. You have your work cut out for you.

RACL Configuration

When RACLs first were introduced, I thought that they were a godsend to filtering returning traffic. I was able to successfully use them in many environments. However, the first time I configured a router with three interfaces?internal, external, and DMZ?I spent almost three days getting everything to work correctly. I learned a lot about TCP/IP connections and applications that week, and I spent a lot of time with a protocol analyzer figuring out what port numbers unusual applications were using. In this example, the customer was a small financial institution that was concerned about its Internet connection. It had a DMZ with a couple servers offering e-commerce services. Providing protection for these servers, enforcing their policies, and allowing certain inside users to receive returning traffic was not a simple matter.

From this experience, I learned that you absolutely must understand the customer's policies down to the exact detail: what connections are needed and how these connections operate. I highly recommend that you create a network diagram and draw the different kinds of connections that will be used, including the protocol information used, such as TCP or UDP port numbers. Based on this, you should be able to develop an ACL solution with RACLs to easily accommodate the customer's needs.