This section describes how to configure
reflexive access lists on your router. Reflexive access lists
provide the ability to filter network traffic at a router, based on
IP upper-layer protocol "session" information. Reflexive
access lists allow IP packets to be filtered based on upper-layer
session information. You can use reflexive access lists to permit IP
traffic for sessions originating from within your network but to
deny IP traffic for sessions originating from outside your network.
This is accomplished by reflexive filtering, a kind of session
filtering. Reflexive access lists can be defined with extended named
IP access lists only. You cannot define reflexive access lists with
numbered or standard named IP access lists or with other protocol
access lists. You can use reflexive access lists in conjunction with
other standard access lists and static extended access lists.
Benefits of Reflexive Access Lists
Reflexive access lists are an important part of securing your
network against network hackers, and they can be included in a
firewall defense. Reflexive access lists provide a level of security
against spoofing and certain denial-of-service attacks. Reflexive
access lists are simple to use, and, compared to basic access lists,
they provide greater control over which packets enter your network.
What Is a Reflexive Access List?
Reflexive access lists are similar in many ways to other access
lists. Reflexive access lists contain condition statements (entries)
that define criteria for permitting IP packets. These entries are
evaluated in order, and when a match occurs, no more entries are
evaluated. However, reflexive access lists have significant
differences from other types of access lists. Reflexive access lists
contain only temporary entries; these entries are automatically
created when a new IP session begins (for example, with an outbound
packet), and the entries are removed when the session ends.
Reflexive access lists are not applied directly to an interface, but
are "nested" within an extended named IP access list that
is applied to the interface. Also, reflexive access lists do not
have the usual implicit "deny-all-traffic" statement at
the end of the list, because of the nesting.