https://community.cisco.com/t5/network-security/reflexive-acl/m-p/747393#M1008899 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Your config needs some slight modifications. I assume you want to create a reflexive access list to track all tcp traffic, not just smtp, originated from the inside (trusted) network. The following config would cause the router create a temporary access list entry for all tcp originated from the inside network. The config that you have in there now would only allow create a temporary ACE for the SMTP traffic defined in your first statement in the ACL named smtp-racl and all other traffic would be dropped on it ways back. </P><P></P><P>If you have a different requirement please clarify that..</P><P></P><P>ip access-list extended internal-smtp</P><P>permit tcp any any reflect smtp-racl</P><P></P><P>ip access-list extended external-acl</P><P><OTHER acl="" statements=""></OTHER></P><P>permit tcp any host 216.aaa.bbb.ccc eq smtp</P><P>permit tcp any host 216.aaa.bbb.ccc eq www</P><P>permit tcp any host 216.aaa.bbb.ccc eq 443 </P><P>evaluate smtp-racl</P><P></P><P>HTH</P><P></P><P>Sundar</P></BODY></HTML> Wed, 28 Mar 2007 19:22:50 GMT sundar.palaniappan 2007-03-28T19:22:50Z https://community.cisco.com/t5/network-security/reflexive-acl/m-p/747392#M1008894 <P>Hello. I am trying to build a reflexive acl on a 7206 router (Version 12.3(17)) to help secure email without interrupting</P><P>any other services, especially ftp. Here is what I have so far: </P><P></P><P>ip access-list extended internal-smtp </P><P>permit tcp 192.168.x.y any host reflect smtp-racl</P><P>permit ip any any</P><P></P><P>ip access-list extended external-acl</P><P>&lt;other acl statements&gt;</P><P>evaluate smtp-racl</P><P>permit tcp any host 216.aaa.bbb.ccc eq smtp</P><P>permit tcp any host 216.aaa.bbb.ccc eq www</P><P>permit tcp any host 216.aaa.bbb.ccc eq 443</P><P>&lt;other acl statements&gt;</P><P>deny ip any any</P><P></P><P>interface serial01</P><P>ip access-group internal-smtp out</P><P>ip access-group external-acl in</P><P></P><P>IP addresses refer to inside local and outside global of email server.</P><P></P><P>Is this going to be effective? Is there a configuration that would be more effective? We do not have CBAC capabilities. Thanks in advance.</P> Mon, 11 Mar 2019 09:53:06 GMT https://community.cisco.com/t5/network-security/reflexive-acl/m-p/747392#M1008894 pdriscoll 2019-03-11T09:53:06Z https://community.cisco.com/t5/network-security/reflexive-acl/m-p/747393#M1008899 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Your config needs some slight modifications. I assume you want to create a reflexive access list to track all tcp traffic, not just smtp, originated from the inside (trusted) network. The following config would cause the router create a temporary access list entry for all tcp originated from the inside network. The config that you have in there now would only allow create a temporary ACE for the SMTP traffic defined in your first statement in the ACL named smtp-racl and all other traffic would be dropped on it ways back. </P><P></P><P>If you have a different requirement please clarify that..</P><P></P><P>ip access-list extended internal-smtp</P><P>permit tcp any any reflect smtp-racl</P><P></P><P>ip access-list extended external-acl</P><P><OTHER acl="" statements=""></OTHER></P><P>permit tcp any host 216.aaa.bbb.ccc eq smtp</P><P>permit tcp any host 216.aaa.bbb.ccc eq www</P><P>permit tcp any host 216.aaa.bbb.ccc eq 443 </P><P>evaluate smtp-racl</P><P></P><P>HTH</P><P></P><P>Sundar</P></BODY></HTML> Wed, 28 Mar 2007 19:22:50 GMT https://community.cisco.com/t5/network-security/reflexive-acl/m-p/747393#M1008899 sundar.palaniappan 2007-03-28T19:22:50Z https://community.cisco.com/t5/network-security/reflexive-acl/m-p/747394#M1008912 <HTML><HEAD></HEAD><BODY><P>Sundar - thanks for your response. </P><P></P><P>Your assumption is correct. However, I am not certain how FTP traffic, both inbound and outbound, would be affected by your configuration. Please advise whether FTP would or would not be affected. Thanks.</P></BODY></HTML> Wed, 28 Mar 2007 19:48:38 GMT https://community.cisco.com/t5/network-security/reflexive-acl/m-p/747394#M1008912 pdriscoll 2007-03-28T19:48:38Z https://community.cisco.com/t5/network-security/reflexive-acl/m-p/747395#M1008919 <HTML><HEAD></HEAD><BODY><P>Your outbound, from inside to outside, FTP traffic would work fine as the reflexive access list will create a temporary access list entry when the first ftp packets in the session leaves the router and the return traffic will be allowed back in.</P><P></P><P>However, for traffic originated from outside to inside you need to explicitly allow the traffic on your inbound ACL and outbound ACL. Adding an entry each to the ACL(s) should address your concern.</P><P></P><P>ip access-list extended external-acl </P><P>permit tcp <NETWORK> host <FTP_SERVER> eq ftp</FTP_SERVER></NETWORK></P><P></P><P>ip access-list extended internal-smtp </P><P>permit ip any any</P><P></P><P>HTH</P><P></P><P>Sundar</P></BODY></HTML> Wed, 28 Mar 2007 19:58:39 GMT https://community.cisco.com/t5/network-security/reflexive-acl/m-p/747395#M1008919 sundar.palaniappan 2007-03-28T19:58:39Z