Reflexive ACL

Reflexive ACLs works as adaptive firewall. It allows outbound traffic and allows inbound traffic in response to upper layer protocols sessions originated inside the router ( similar to content based):

We will configure Reflexive ACL on F0/1 of R5...

R5(config)#!

ip access-list extended REF_TEST_OUT

permit ospf any any #to allow OSPF
permit tcp any any reflect REF #After permitting TCP session ACL creates/reflects sessions parameters to ACL named as "REF" with ACE's statements "mirrored" or reflected to current session.

!

ip access-list extended REF_TEST
permit ospf any any
evaluate REF #this statement evaluates new reflective ACL named "REF" and  apply them "inbound" to interface

!
interface FastEthernet0/1
ip address 10.50.56.5 255.255.255.0
ip access-group REF_TEST in
ip access-group REF_TEST_OUT out

Look at the example....

here are ACLs before any tcp session occurs:

R5(config)#do sh ip access | sec REF
Reflexive IP access list REF
Extended IP access list REF_TEST
    10 permit ospf any any (121 matches)
    20 evaluate REF
Extended IP access list REF_TEST_OUT
    5 permit ospf any any
    10 permit tcp any any reflect REF (88 matches)
R5(config)#

Now we try to telnet to router R6:

R4#telnet 10.50.56.6
Trying 10.50.56.6 ... Open
User Access Verification
Username: cisco
Password:
R6>

And on R5 we can see Reflexive ACL's permit statement...

R5(config)#do sh ip access | sec REF
Reflexive IP access list REF
     permit tcp host 10.50.56.6 eq telnet host 10.50.45.4 eq 60050 (45 matches) (time left 279)
Extended IP access list REF_TEST
    10 permit ospf any any (133 matches)
    20 evaluate REF
Extended IP access list REF_TEST_OUT
    5 permit ospf any any
    10 permit tcp any any reflect REF (113 matches)

 This statement will be configured till the end of the tcp session.

See you!

Best Regards!