Reflexive access-lists are one of the methods that can help us achieve full firewall functionality with a Cisco router.
Setting up the access-lists
I always tend to call my router/firewall access-lists the same thing, one called inside_out, and one called outside_in. These names describe the function of the two lists exactly. The first is concerned with traffic coming from inside the firewall (your LAN) going out. And the second is concerned with traffic coming into your LAN from outside.
inside_out access-list
Ok let’s just create a very open list here, the purpose of this tutorial is how to use reflexive lists, not how to create access-lists in general. So we’ll just have the following -:
ip access-list extended inside_out permit ip any any reflect outbound
All we are doing here is creating a list that allows any traffic out and creates a reflexive access-list called outbound. This reflexive list is dynamically updated to allow return traffic to connections initiated from inside your LAN.
outside_in access-list
Again this is a very simple access-list with some good defaults inĀ -:
ip access-list extended outside_in evaluate outbound deny ip 127.0.0.0 0.255.255.255 any deny ip 224.0.0.0 31.255.255.255 any deny ip host 255.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any permit icmp any any echo-reply permit icmp any any unreachable permit icmp any any time-exceeded deny ip any any log
This list evaluates the reflexive list created by the inside_out access-list, and contains statements to allow return traffic, we can then deny all.
You can check the current reflexive list by typing -:
sh access-lists
Apply the lists to your outside interface
In my case serial0 is my outside interface, so -:
interface Serial0 ip access-group outside_in in ip access-group inside_out out