Cisco Support Community

Reflexive Access list on IOS


This document explains  the concept of Reflexive access lists.


Router  Running IOS

Network Diagram



Reflexive  access lists allow you to dynamically open up your filtering router to  allow reply packets back through, in response to an outbound TCP  connection or UDP session initiated from within your network. This  mechanism reduces exposure to spoofing and denial-of-service, since  desirable inbound flows are mostly in response to outbound traffic.

The idea of  reflexive ACL is to take a packet flow, extract session information i-e  source/destination IP and ports and create dynamic entry in access-list  that is applied in opposite direction, to permit the "mirrored" flow.  We basically need a named access-list to implement traffic reflection.

Reflexive  access list works like a charm with simple protocols like http and  telnet. However, complex protocols like FTP open additional data  channels which can not be properly intercepted by reflexive access  lists.

And  one another important aspect to keep in mind is reflexive acls have  poor scalablity, since routers need to open pinholes on temporary basis  and needs to age them out, constantly keeping the track of every new  "session".

Also  router-orignated traffic is not subjected to reflection, unless we use  local policy to divert it on a loopback interface to make it ingress.

Ensure  that you meet these requirements before you attempt this configuration:


Please provide sample  configuration relevant to the document.

Please refer the following  example for reflexive acl----

In this specific example, we will permit  tcp, udp and ICMP traffic from inside to outside network.

Internet  Router—

!!!!  Outbound access-list, mirror all outbound sessions

ip  access-list extended OUTBOUND

permit tcp any any reflect MIRROR

permit  udp any any reflect MIRROR

permit icmp any any reflect MIRROR

!!!! Ingress  ACL, permit only the "returning" packets

ip access-list extended INBOUND

evaluate  MIRROR

Applying  the acls on the interface-----

interface FastEthernet0/0

ip  address

ip access-group INBOUND in

ip  access-group OUTBOUND out

duplex auto

speed auto



ROUTER1#show access-lists

Extended  IP access list INBOUND

10 evaluate MIRROR

Reflexive IP  access list MIRROR

Extended IP access list OUTBOUND

10  permit tcp any any reflect MIRROR

20 permit udp any any reflect  MIRROR

30 permit icmp any any reflect MIRROR

Hope this information is useful to you and i want to thank you for your time.

Related Information

Community Member

Well done ! Great document athukral ! I was wondering if there is another way to avoid ip inspect and this is what I searched for !

I have another problem using your way or ip inspect way. I can ping internet from computers connected to internal NATed network but not from cisco itself ! Do you have any solution to this problem?