This document explains the concept of Reflexive access lists.
Router Running IOS
Reflexive access lists allow you to dynamically open up your filtering router to allow reply packets back through, in response to an outbound TCP connection or UDP session initiated from within your network. This mechanism reduces exposure to spoofing and denial-of-service, since desirable inbound flows are mostly in response to outbound traffic.
The idea of reflexive ACL is to take a packet flow, extract session information i-e source/destination IP and ports and create dynamic entry in access-list that is applied in opposite direction, to permit the "mirrored" flow. We basically need a named access-list to implement traffic reflection.
Reflexive access list works like a charm with simple protocols like http and telnet. However, complex protocols like FTP open additional data channels which can not be properly intercepted by reflexive access lists.
And one another important aspect to keep in mind is reflexive acls have poor scalablity, since routers need to open pinholes on temporary basis and needs to age them out, constantly keeping the track of every new "session".
Also router-orignated traffic is not subjected to reflection, unless we use local policy to divert it on a loopback interface to make it ingress.
Ensure that you meet these requirements before you attempt this configuration:
Please provide sample configuration relevant to the document.
Please refer the following example for reflexive acl----
In this specific example, we will permit tcp, udp and ICMP traffic from inside to outside network.
!!!! Outbound access-list, mirror all outbound sessions
ip access-list extended OUTBOUND
permit tcp any any reflect MIRROR
permit udp any any reflect MIRROR
permit icmp any any reflect MIRROR
!!!! Ingress ACL, permit only the "returning" packets
ip access-list extended INBOUND
Applying the acls on the interface-----
ip address 188.8.131.52 255.255.255.0
ip access-group INBOUND in
ip access-group OUTBOUND out
Extended IP access list INBOUND
10 evaluate MIRROR
Reflexive IP access list MIRROR
Extended IP access list OUTBOUND
10 permit tcp any any reflect MIRROR
20 permit udp any any reflect MIRROR
30 permit icmp any any reflect MIRROR
Hope this information is useful to you and i want to thank you for your time.