Reflexive ACL's - Need Clarification

kschafer · ‎07-13-2004

I've got a 2621 router that I'd like to do some DMZ style firewalling on.

I want to allow the servers on the inside to make outbound requests, but restrict inbound access to particular ports.

With regular ACL's, I run into problems with FTP and I'm thinking maybe applying reflexive ACL's would be a better approach.

Could somebody post an example of using reflexive ACL's to permit access to an FTP server ? In the topology, fastethernet0/0 faces the internet and fastethernet0/1 faces the servers.

Thanks,

= K

nkhawaja · ‎07-13-2004

Hi,

Reflexive ACL probably is not a good choice for any multi channel protocols. e.g. FTP. It will not open up ports for FTP data. You need to use IOS FW (CBAC)

Besides this, there is not much documentation on Reflexive ACL. Just this link

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfreflx.htm

kschafer · ‎07-14-2004

OK, thanks for the tip on CBAC. I've started reading up on it.

Assuming that I do NAT on the inside (fa 0/1) and that an FTP server resides at 10.1.1.1 do you think you could give me a CBAC example for FTP ?

Right now I just have extended ACL's on the outbound interface towards the servers and for the most part things work fine except for FTP.

Thanks for the tips so far,

= K

nkhawaja · ‎07-14-2004

Hi,

I hope this example will help

http://www.cisco.com/warp/customer/793/ios_fw/cbac4.html

thanks

Nadeem