ITSY 2301 Firewalls and Network Security Fall 2009
Lab 11 Reflexive Access Control Lists
Purpose:
Demonstrate the use of Reflexive Access Control Lists.
Topology:
See the ITSY2301 standard router configuration diagram.
Confirm the cabling of the routers and switches.
Directions:
***** Configure the 2 routers with appropriate starting IP addresses and routing protocol. Note: Use the basic configuration, with no other ACLs. Change the routing protocol to EIGRP. “router eigrp 10”
Test the connectivity between the routers. Ping from the faculty workstation to the Boston workstation.
Scenario:
For this Lab we will be using Austin as an interior router where we will
configure the reflexive access list. We want to prevent the users outside of
subnetwork 10.0.1.0 from accessing subnetwork 10.0.1.0. However, the
users inside the subnetwork need to have access out and be able to receive
information back.
From the "Austin" console enter the commands in boldface type.
Step 1
Determine if the access list should be applied to an internal interface or an
external interface. Setup the access lists accordingly. We will need to configure
both an inbound access list and an outbound access list. For this example the
outbound access list will used to modify the inbound access list.
Note: We will be using named extended access lists.
Step 2 The first command creates an incoming ACL named “filterin”
ip access-list extended filterin
What happens to the router prompt?
Step 3 Permit EIGRP traffic
permit rtp any any
Answer reflection question 1. Google is your friend!
Step 4 Create “internalpkts”
evaluate internalpkts (a table is created to track packets)
Answer reflection question 2.
Step 5 Create an exiting traffic ACL
ip access-list extended filterout
Step 6 Permit tcp traffic
permit tcp any any reflect internalpkts
Answer reflection question 3.
Step 7 Apply the access lists on Austin to the correct interface, and in the correct direction.
interface xxxxx xxxxx = interface ID
ip access-group filterin yyyyy yyyyy = direction in or out
ip access-group filterout yyyyy
Which access list will be applied to information coming into interface xxxxx?
Which access list will be applied to information going out of interface xxxxx?
Step 8 Set global timeout values.
ip reflexive-list timeout 120
Save your configurations now.
How long does it take for the reflexive access list to expire?
Step 9 Verify the content of the ACLs
show access-list
What does the router respond with?
Step 10 Verify that reflexive access list is working correctly on Austin
From the Boston workstation 11.0.13.1 try an extended ping to the workstation 10.0.1.2 using 10 packets in the ping.
Were you successful?
Try to telnet from the faculty 10.0.1.2 workstation to 11.0.13.2 on Boston.
Were you successful?
If you got a message, what was it and why?
Ping Boston at 11.0.13.2 from the faculty workstation 10.0.1.2.
Were you successful?
Step 11 Check the access list on the router. From Austin EXEC prompt
Show access-list
What has changed in the access list?
Note: If this type of ACL is not working as you expect it should, try changing the interface on which you apply it. You may also have to change the interface filtering direction. Save your work! You will have to re-boot after you change the interface application, to remove the old information from memory.
Step 12 Check the ACLs from the student network
From the test/student workstation on subnet 10.0.2.0, try to ping the workstation on the Boston, 11.0.13.1
Were you successful?
Ping the faculty workstation, 10.0.1.2 from the test/student workstation, 10.0.2.2
Were you successful?
If you were unsuccessful, why not?
Reflection Questions:
1. Why would we want to permit eigrp on our incoming access list?
2. Describe how this access control list will work. What does “evaluate” do?
3. What does this statement in the access list do? What does “reflect” do?
4. Would you call Reflexive ACLs dynamic? Why or why not?
5. Would you call Reflexive ACLs stateful? Why or why not?
Page 5