13-5 Filtering IP Sessions with Reflexive Access Lists | Cisco Field Manual[c] Router Configuration

Normally, inbound traffic is blocked on a border router by an access list. Reflexive access lists watch outbound network traffic and create temporary entries to allow the returning inbound traffic that is associated with an IP session.
The temporary entries in a reflexive access list are removed as soon as the IP session ends.
Reflexive access lists approximate the behavior of "stateful" firewalls, in that an outbound session triggers the permission of the inbound session traffic from the far end.
For TCP, temporary entries are removed 5 seconds after the two FIN bits are received, or immediately after the RST bit is detected. For UDP and other connectionless protocols, the entries are removed after a timeout period from the last detected session packet.
Reflexive access lists use extended named IP access lists only.
Temporary entries appear as permit statements with the source and destination addresses and port numbers swapped in relation to the original outbound session.

Configuration

Create a named extended IP access list for outbound traffic:
```
 (global)  ip access-list extended   name  (named-access-list)  permit ...  
```
The access list named name filters the outbound traffic. The permit keyword and its arguments should be used to allow any traffic outbound from the "inside" that doesn't need the reflexive access list functionality.
Identify the outbound IP sessions that act as a reflexive trigger:
```
 (named-access-list)  permit   protocol source  [  source-mask  ]  destination  [  dest-mask  ] [  operator port  ]  reflect   name  [  timeout   seconds  ] 
```
The permit command is specified as in a normal extended named IP access list. The initial session traffic that matches the protocol, source and destination addresses (can be addresses with masks, host, or any ), and the optional port operator and port number is used to trigger a reflexive access list entry. The reflect keyword must be used, along with the name of a named extended IP access list that is used in the reverse direction. You don't have to configure the name access list. It is created automatically, and reflexive entries are added to it. If desired, a timeout value in seconds (1 to 2147483647; the default is the global timeout value) can be used to expire a reflexive entry after no session traffic is detected.
Apply the outbound access list to an interface:
```
 (interface)  ip access-group   name   out  
```
The access list named name is used to filter outbound traffic on the border router. The list also triggers reflexive access list entries to be created for specific outbound sessions.
Create a named extended IP access list for inbound traffic:
```
 (global)  ip access-list extended   name  (named-access-list)  permit ...  
```
The access list named name filters the inbound traffic. The permit keyword and its arguments should be used to allow any traffic inbound from the "outside" that is normally required and trusted. This can also include trusted traffic that is not initiated from the inside, such as routing updates.
Enable the addition of dynamic reflexive entries:
```
 (named-access-list)  evaluate   name  
```
The evaluate keyword uses any reflexive entries that have been automatically added to the name extended IP access list. Again, this list is created and maintained by the router according to the reflexive access list's activity. Reflexive entries are created in permit form, allowing inbound traffic for triggered sessions.
Apply the inbound access list to an interface:
```
 (interface)  ip access-group   name   in  
```
The access list named name is used to filter inbound traffic on the border router. The interface used should be the same interface where outbound sessions triggered the reflexive access list entries. In this fashion, one border interface has both inbound and outbound access lists with reflexive functionality.

Example

A reflexive access list is configured to watch outbound TCP and UDP traffic and create temporary inbound access list entries for those sessions. The extended access list outbound is used to trigger reflexive entries (access list allowreplies ) for any TCP or UDP session initiated on the inside. All other IP traffic is permitted without triggering the reflexive process. The access list is applied to the external interface Ethernet 0 as an outgoing traffic filter.

Another extended access list inbound is used to permit any incoming HTTP traffic (because most Web traffic would not be initiated from the inside). All other traffic is permitted only when the reflexive access list entries from list allowreplies are evaluated. The inbound list is applied to the external interface Ethernet 0 as an incoming traffic filter.

Notice that the reflexive access list keeps track of sessions by recording the source and destination addresses and the source and destination port numbersfor the returning traffic involved with both TCP and UDP sessions. This goes above and beyond what is possible with extended IP access lists, where return traffic for a session in progress can be detected only from the ACK and RST bits in the TCP headers (using the established keyword). Extended access lists offer no capability for detecting established or returning UDP session traffic.

  ip access-list extended outbound   permit tcp any any reflect allowreplies   permit udp any any reflect allowreplies   permit ip any any   ip access-list extended inbound   permit tcp any any eq www   evaluate allowreplies   interface ethernet 0   ip access-group outbound out   ip access-group inbound in