Reflexive Lists Lab Tips

  • Allows traffic from INSIDE > OUTSIDE to return back via the evaluate #TAG# command. This is the ACL applied inbound on the outside interface.
  • evaluate #TAG# command looks at the access list for traffic going out. This is the ACL applied outbound on the outside interface and uses permit traffic reflect #TAG#. e.g. permit tcp any any reflect MY_REFLECT
  • Generally apply these to the ‘outside’ interface to control both ‘outside’ and ‘inside’ interfaces. So anything in the ACL_OUT will then be inspected by the evaluate #TAG# in the ACL_IN and create dynamic ACL to allow that traffic in.
  • Verify by doing show ip access-list MY_REFLECT (#tag#) – You will see the dynamic ACL entry providing that you have triggered it.
  • If TCP traffic, such as Telnet, is allowed out then you may need to use the established key word in the ACL_OUT as this simulates a stateful inspection and will allow the return traffic based on the ACK bit.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: