Dynamic and reflexive access lists.

A way of tweaking an access-list to be more flexible,
The reflexive access list allows to configure Cisco to allow all or some connections that are allowed by another access list,
For instance, allowing the return of all traffic that was originated from the LAN and blocking all other,

Configuration is very simple, creating 2 access lists, lets say internal and external,
Internal will allow all desired traffic, external will allow only packets related to the connection allowed by internal and deny all others

Will look like this:
ip access-list extended Internal
 permit ip any any reflect TEMP

ip access-list Extended External
 evaluate TEMP

and on the external interface
                ip access-group External in
 ip access-group Internal out

I also like to see the packets that are being blocked so I add a "deny ip any any log" on the bottom of the external ACL,
Also make sure to allow any other traffic if needed.

Another way is the dynamic access-list, basically you create an entry that requires authentication in order to use,
For example, allow connecting to an internal web or ftp server only after successfully authenticating with the Cisco,
Like the reflexive ACL it's very easy to configure,
Let's say we want to allow the network to browse the internet only after authenticating to the Cisco (,
We need to make sure telnet traffic is allowed to allow the authentication.
the ACL:
Ip access-list extended Dynamic
 10 Permit tcp host eq telnet
 20 Dynamic List_1 permit tcp any eq www

Create a user for the authentication :
username test password 7 071E36491F5B4A
username test autocommand access-enable host timeout 10
in this case the users will be able to browse 10 minutes before the need to re-authenticate.

Now only add the ACL to an Interface and we're all done.

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR


Post a Comment