#ip access-list extended  (name goes here)

The neat thing about named access-lists is that when you do a show access-list command you see number s next to the lines in the acl. This allows you to add or remove lines without deleting the whole access-list.

test#sh ip access-list

extended ip access-list example
	10 permit ip any any
	20 deny tcp any any eq 80
	30 permit udp any any eq 53

Reflexive access-lists allow you to filter connections based on session. Reflexive ACL’s are part of the ip plus feature set and was the first attempt to create a statefull inspection firewall on routers. Before the invention of reflexive access-lists the only way we had to allow stateful return traffic from the internet was by using the establish keyword. The problem with the established keyword is that the router only checks for the ack bit on the packets. The ack bit is set on packets once the 3 way handshake has been completed. the problem with this is that it does not do anything for udp packets since those connections are stateless, and it is very easy for hackers to set the ack bit. To get around this problem Cisco invented the reflexive access-list.

permit tcp any any eq 80 established

Reflexive access-lists are very easy. I have added the code for the access-list below. Basically reflexive access-list are made up of two parts. The first part, is the access-list that filters outbound traffic. This access-list is made up of statements that allow outbound traffic. thekey part here is the reflect statement. What this means is that you want to reflect that packet in another access list.

In my example below I reflected the statements in an access-list called dynamic. Now I created two access-lists. I created an inbound access-list to allow static inbound traffic to my webserver. I created an outbound access-list to allow traffic from my lan to the internet. I told my inbound access-list to check the reflexive entries before blocking traffic using the evaluate command. This is all there is too it. With these simple commands you can commands you can configure a statefull firewall to protect your network from harm. As good as this is though it isn’t perfect. It doesn’t work for application which use dynamic port numbers for return traffic. To solve this problem cisco added layer 4 inspection and refined reflexive access-lists in what they call Content Based Access Control or CBAC. However CBAC is part of the ios fw feature set and is a topic for another time.

interface FastEthernet0/0
 description WAN Interface
 ip address 192.168.0.1 255.255.255.0
 ip access-group internet_in in
 ip access-group lan_out out
 duplex auto
 speed auto
!
!
ip access-list extended internet_in
 remark Internet---->lan traffic
 permit tcp any any eq 80
 permit tcp any any eq 443
 evaluate dynamic
!
!
ip access-list extended lan_out
 remark inside----->internet traffic
 permit tcp any any eq www reflect dynamic
 permit tcp any any eq 443 reflect dynamic
 permit tcp any any eq 22 reflect dynamic
 permit tcp any any eq ftp reflect dynamic
 permit tcp any any eq telnet reflect dynamic
 permit tcp any any eq pop3 reflect dynamic
 permit tcp any any eq nntp reflect dynamic
 permit tcp any any eq smtp reflect dynamic
!
!

!
crypto isakmp policy 10        #create crypto policy file
authentication pre-share      #use pre shared key
crypto isakmp key integer address 192.168.1.2 #address of remote tunnel
!
!
!
#use aes encryption and comp-lzs conpression. use transport mode.
crypto ipsec transform-set myset esp-aes esp-md5-hmac comp-lzs
!
mode transport   # transport mode tells IPSEC not to create a tunnel,
                       # this is used when you are using IPSEC for
                       # encryption only and not for tunneling.
!
crypto map mymap 10 ipsec-isakmp   # create the crypto map
set peer 192.168.1.2                      # the peer must match the ISAKMP statement
set transform-set myset                  # use the encyption we defined above
match address match-gre                # encrypt only packets in GRE tunnel
!
!
!
!
interface Tunnel0
ip address 172.20.1.1 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 192.168.1.2
tunnel path-mtu-discovery
crypto map mymap              # crypto map must be applied to tunnel
!
!
!
!
interface FastEthernet0/1
description LAN INTERFACE
ip address 10.0.0.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
!
!
!
interface FastEthernet0/0
description Internet Interface
ip address 192.168.1.1 255.255.255.0
ip access-group allow-gre in
ip nat inside
duplex auto
speed auto
crypto map mymap   # crypto map must be applied to tunnel and public interface
!
!
!
!
ip access-list extended allow-gre
permit gre any any               # allow gre through the firewall
permit esp any any              #allow esp for ipsec through the firewall
permit udp any any eq 500    #allow udp port 500 through which ipsec also uses
!
!
#access-list to match tunnel traffic.
#This access list must be in the form (my public ip) (destination public ip)
ip access-list extended match-gre
 permit gre host 192.168.1.1 host 192.168.1.2 log

Each type of connectivity offers advantages and disadvantages. Some of these tunnels can even be overlaid on top of one another. For instance IPSEC can be used in a transport mode, which allows you to use the encryption with other tunnels or protocols. For this article we are going to discuss GRE tunnels. GRE is unique as tunneling technologies go in that is started out as a proprietary protocol developed by Cisco and later adopted as a standard. GRE was invented as a way of encapsulating non routable protocols in IP which is a routable protocol. In this way protocols such as multicast (this include OSPF, EIGRP), and other protocols like IPX could be tunneled across routable links.

GRE offers several advantages today when used as a tunnel to connect private LANs. The main advantages are the ability to carry multicast traffic, i.e. routing protocols across the internet. For instance, lets say you had a main office in London, which has Frame Relay links to 15 offices in Europe, and you have your headquarters in Washington D.C. with a MPLS network of 25 offices across North and South America. Now suppose due to the costs of bandwidth and particularly the cost of private connection such as frame across the pond, you decided to go with a 45mbps T3 line. Between London and D.C.  Now you could connect these offices with an IPSEC VPN however if you did this you would be limited to building static  routes for each network on each side of the ocean, this is not a very scalable solution and does not allow you the advantages of a dynamic routing protocol. This solution may even limit you should you decide to add a second T3 later say to an office in Madrid. With dynamic routing protocols, the traffic would automatically swing to the Madrid office if something were to happen to the link between D.C. and London. The solution  to this problem is to use GRE tunnels, since GRE tunnels pass all types of traffic you can easily run a dynamic routing protocol, like OSPF or EIGRP. These protocols will allow seamless easy route adjustments when a route goes down.

Configuring GRE tunnels is easy with a few simple steps you will be on your way. Before we can talk about configuring GRE tunnels we need to discuss exactly what the requirements for GRE are! GRE is a protocol, like IP you need to make sure this protocol is allowed through your firewall if you want to terminate a GRE tunnel. GRE to be more exact is protocol 47. Please be mindful that this is not port 47 but protocol 47. Allowing port 47 through your firewall will not allow GRE to work.

Steps to configure a GRE tunnel

1. create access-list on outside interface to permit GRE
2. create tunnel interface

interface Tunnel0
 ip address 172.20.1.1 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/0
 tunnel destination 192.168.1.2
 tunnel path-mtu-discovery
!
!
!
!
interface FastEthernet0/1
 description LAN INTERFACE
 ip address 10.0.0.254 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
!
!
!
interface FastEthernet0/0
 description Internet Interface
 ip address 192.168.1.1 255.255.255.0
 ip access-group allow-gre in
 ip nat inside
 duplex auto
 speed auto
!
!
!
!
ip access-list extended allow-gre
 permit gre any any