10.7 Configuring IP Session Filtering (Reflexive Access Lists)
10.7.3 Configure reflexive access lists
In a previous section, "Prework," you decided whether to configure reflexive access lists for an internal or external interface. Now, complete the tasks in one of the following configuration task lists.

External Interface Configuration Task List

To configure reflexive access lists for an external interface, perform these tasks:

  1. Define the Reflexive Access List(s) in an outbound IP extended named access list.
  2. Nest the Reflexive Access List(s) in an inbound IP extended named access list.
  3. Set a Global Timeout Value (Optional).

These tasks are described in the sections following the internal interface configuration task list.

Note: The defined (outbound) reflexive access list evaluates traffic traveling out of your network: if the defined reflexive access list is matched, temporary entries are created in the nested (inbound) reflexive access list. These temporary entries will then be applied to traffic traveling into your network.

Internal Interface Configuration Task List

To configure reflexive access lists for an internal interface, perform these tasks:

  1. Define the Reflexive Access List(s) in an inbound IP extended named access list.
  2. Nest the Reflexive Access List(s) in an outbound IP extended named access list.
  3. Set a Global Timeout Value (Optional).

These tasks are described in the next sections.

Note: The defined (inbound) reflexive access list is used to evaluate traffic traveling out of your network: if the defined reflexive access list is matched, temporary entries are created in the nested (outbound) reflexive access list. These temporary entries will then be applied to traffic traveling into your network.

Define the Reflexive Access List(s)

To define a reflexive access list, you use an entry in an extended named IP access list. This entry must use the reflect keyword.

  • If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one that is applied to outbound traffic.
  • If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one that is applied to inbound traffic.

To define reflexive access lists, perform the tasks shown in Figure , starting in global configuration mode.

If the extended named IP access list you just specified has never been applied to the interface, you must also complete this next task shown in Figure .

Apply the extended named IP access list to the interface, in interface configuration mode.

Mixing Reflexive-Access-List Statements with Other Permit and Deny Entries

The extended IP access list that contains the reflexive access list permit statement can also contain other normal permit and deny statements (entries). However, as with all access lists, the order of entries is important, as explained in the following paragraphs.

If you configure reflexive access lists for an external interface, when an outbound IP packet reaches the interface, the packet will be evaluated sequentially by each entry in the outbound access list until a match occurs.

If the packet matches an entry prior to the reflexive permit entry, the packet will not be evaluated by the reflexive permit entry, and no temporary entry will be created for the reflexive access list (reflexive filtering will not be triggered).

The outbound packet will be evaluated by the reflexive permit entry only if no other match occurs first. Then, if the packet matches the protocol specified in the reflexive permit entry, the packet is forwarded out of the interface and a corresponding temporary entry is created in the inbound reflexive access list (unless the corresponding entry already exists, indicating the outbound packet belongs to a session in progress). The temporary entry specifies criteria that permits inbound traffic only for the same session.

Nest the Reflexive Access List(s)

After you define a reflexive access list in one IP extended access list, you must "nest" the reflexive access list within a different extended named IP access list.

  • If you are configuring reflexive access lists for an external interface, nest the reflexive access list within an extended named IP access list applied to inbound traffic.
  • If you are configuring reflexive access lists for an internal interface, nest the reflexive access list within an extended named IP access list applied to outbound traffic.

After you nest a reflexive access list, packets heading into your internal network can be evaluated against any reflexive access list temporary entries, along with the other entries in the extended named IP access list.

To nest reflexive access lists, perform the tasks shown in Figure , starting in global configuration mode.

Again, the order of entries is important. Normally, when a packet is evaluated against entries in an access list, the entries are evaluated in sequential order, and when a match occurs, no more entries are evaluated. With a reflexive access list nested in an extended access list, the extended-access-list entries are evaluated sequentially up to the nested entry, then the reflexive-access-list entries are evaluated sequentially, and then the remaining entries in the extended access list are evaluated sequentially. As usual, after a packet matches any of these entries, no more entries will be evaluated.

If the extended named IP access list you just specified has never been applied to the interface, you must also complete this next task shown in Figure .

Apply the extended named IP access list to the interface, in interface configuration mode.

Set a Global Timeout Value (optional)

Reflexive access list entries expire after no packets in the session have been detected for a certain length of time (the "timeout" period). You can specify the timeout for a particular reflexive access list when you define the reflexive access list. But if you do not specify the timeout for a given reflexive access list, the list will use the global timeout value instead.

The global timeout value is 300 seconds by default, but you can change the global timeout to a different value at any time.

To change the global timeout value, perform the task in Figure in global configuration mode.