Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Reflexive Access-lists

I have a vlan setup for proxies.  I only want to allow the traffic that is going out of that vlan to be able to return in.

I was thinking about using a reflexive access-list and was hoping that someone already had a similar situation that I could take a look at.

Is a reflexive access-list the best way to go in this situation?

Thanks,

Alex

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Reflexive Access-lists

alexlpfeil wrote:

I am using a Cisco 7606 router for the access-list.

I saw this on firstdigest.com  This is exactly what I thinking about applying to the vlan interface.  I was just trying to make sure that this would be the standard practice and there wasn't a better way to do it.

ip access-list extended OUTBOUND
permit tcp any any reflect TO_REFLECT
permit udp any any reflect TO_REFLECT

ip access-list extended INBOUND
evaluate TO_REFLECT

Ah well, a 7600 should be fine. Short of using a firewall then yes reflexive access-lists would be the way to go.

Jon

3 REPLIES
Hall of Fame Super Blue

Re: Reflexive Access-lists

alexlpfeil wrote:

I have a vlan setup for proxies.  I only want to allow the traffic that is going out of that vlan to be able to return in.

I was thinking about using a reflexive access-list and was hoping that someone already had a similar situation that I could take a look at.

Is a reflexive access-list the best way to go in this situation?

Thanks,

Alex

Alex

They would be but it depends on the switch ie. reflexive acls are not supported on all switches. Which switch are you using ?

Jon

New Member

Re: Reflexive Access-lists

I am using a Cisco 7606 router for the access-list.

I saw this on firstdigest.com  This is exactly what I thinking about applying to the vlan interface.  I was just trying to make sure that this would be the standard practice and there wasn't a better way to do it.

ip access-list extended OUTBOUND
permit tcp any any reflect TO_REFLECT
permit udp any any reflect TO_REFLECT

ip access-list extended INBOUND
evaluate TO_REFLECT

Hall of Fame Super Blue

Re: Reflexive Access-lists

alexlpfeil wrote:

I am using a Cisco 7606 router for the access-list.

I saw this on firstdigest.com  This is exactly what I thinking about applying to the vlan interface.  I was just trying to make sure that this would be the standard practice and there wasn't a better way to do it.

ip access-list extended OUTBOUND
permit tcp any any reflect TO_REFLECT
permit udp any any reflect TO_REFLECT

ip access-list extended INBOUND
evaluate TO_REFLECT

Ah well, a 7600 should be fine. Short of using a firewall then yes reflexive access-lists would be the way to go.

Jon

164
Views
0
Helpful
3
Replies
CreatePlease to create content