A reflexive ACL is a little better than just simply putting the TCP established keyword on a normal ACL. For one thing, reflexive ACL's handle UDP traffic, whereas the "established" keyword is only for TCP.
You're correct though, it doesn't actually keep track of sessions or anything like that, it just looks at outgoing traffic and allows it to come back in for a short period. Certainly better than nothing though.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...