Reflexive access-lists

Unanswered Question
May 23rd, 2009
User Badges:

Just a quick open question I hope.

After recently reading about reflexive access-lists on Routers I was wondering if they are required on Cisco PIX or ASAs?

Or is this kind of thing taken care of as default behavious on a security module such as this?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jeremyault Sat, 05/23/2009 - 09:48
User Badges:

Reflexive access lists allow you to dynamically open up your filtering router to allow reply packets back through, in response to an outbound TCP connection or UDP session initiated from within your network.

This is exactly what the ASA's stateful inspection does by default. It allows traffic from a higher security level (inside interface) to a lower security level (outside interface) and only lets traffic from the lower security level interface to a higher security level interface (from outside to inside) if it's part of a response to an outbound request -- of if the traffic is explicitly permitted inbound on an ACL.

Hope that helps.


This Discussion