Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Reflexive access-lists

Just a quick open question I hope.

After recently reading about reflexive access-lists on Routers I was wondering if they are required on Cisco PIX or ASAs?

Or is this kind of thing taken care of as default behavious on a security module such as this?

Thanks.

1 REPLY
Community Member

Re: Reflexive access-lists

Reflexive access lists allow you to dynamically open up your filtering router to allow reply packets back through, in response to an outbound TCP connection or UDP session initiated from within your network.

This is exactly what the ASA's stateful inspection does by default. It allows traffic from a higher security level (inside interface) to a lower security level (outside interface) and only lets traffic from the lower security level interface to a higher security level interface (from outside to inside) if it's part of a response to an outbound request -- of if the traffic is explicitly permitted inbound on an ACL.

Hope that helps.

133
Views
0
Helpful
1
Replies
CreatePlease to create content