Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
706
Views
0
Helpful
1
Replies

(CCNA Question) Reflexive ACLs

Go to solution
Daniel Boling
Beginner
Beginner

‎05-07-2012 07:20 PM - edited ‎03-07-2019 06:34 AM

In the ICND2 book, it mentions the use of Reflexive ACLs to permit each TCP / UDP session on an individual basis.  The example given lists a similar scenario:

Workstation (a.a.a.a:5000) > Router > Internet > Web Server (b.b.b.b:80)      

                                                                       Attacker (c.c.c.c:80)

The Reflexive ACLs logic is to control the individual session between the Workstation and the Web Server by restricting sent / received traffic between a.a.a.a:5000 and b.b.b.b:80, as to prevent c.c.c.c:80 from passing traffic through the Router. 

My question is why did the book phrase this example as "Classic Case in which traditional ACLs create a security hole...", when a PAT session would restrict the protocol, inside global, inside local, outside local, and outside global IP header information?  Traffic sent from the Attacker should never get beyond Routers outside interface with PAT.  As I upload this post, an outside host should not be able to source his port to 80, and flood my network.

Is the book assuming the Router is not using PAT, is there a reason for the over-redundancy, or am I missing something?

Thanks for your input

Labels:
0 Helpful