Reflexive Access List

The reflexive access-list is the poor man’s stateful firewall. By default an access-list on a Cisco router doesn’t keep track of any connections. The only thing it cares about is whether an incoming packet matches a certain statement or not. When it matches a statement it will perform an action (permit or deny) and if it doesn’t match…it’ll check the next statement. If none of the statements match it will hit the implicit deny any and the packet will be dropped.

When using the reflexive access-list, your Cisco IOS router will keep track of the outgoing connection(s) and it will automatically allow the return traffic. It’s best to explain this with an example, so let’s take a look at the following topology:

3 cisco routers

Above we have 3 routers…nothing fancy. Let’s say I want to protect R1 and R2 from whatever traffic R3 might send. I could do this with a very simple but effective access-list:

R2(config)#ip access-list extended 100 
R2(config-ext-nacl)#deny ip any any

R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 100 in

The access-list above will drop all traffic from R3. Problem solved right?

You don’t have to add the “deny ip any any” to an access-list, it’s always there at the bottom but invisible. An advantage of adding it is that you will see the number of packets that are dropped this way.

Now what if there’s a HTTP server behind R3 that I want to reach from R1?

R1#telnet 80
Trying, 80 ... 
% Connection timed out; remote host not responding

Perhaps our network is a bit too secure….The packets from R1 will make it to R3 but the return traffic will be dropped. If I want to allow this return traffic, I have to punch a hole in that access-list that I just created. There’s a better method, and that’s the reflexive access-list…let’s take a look.


Forget about the access-list that I just created, we start with fresh routers that don’t have any access-lists applied to them.

I’m going to create an access-list that will track all outgoing connections, this is how we do it:

R2(config)#ip access-list extended OUTBOUND
R2(config-ext-nacl)#permit ip any any reflect EVALUATE

R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group OUTBOUND out

Above you seen an access-list called OUTBOUND that will permit everything but I’ve added the reflect keyword. This means that the router keeps track of this outgoing connection and it will automatically create a statement for the return traffic. It will save this statement in a temporary access-list called EVALUATE. We are halfway done, there’s one more access-list to create:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

545 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Rene,

    I have been working on access-lists and NAT on my little lab. I have a Cisco router connected to a D Link router that is in turn connected to a vonage router which in turn connects to a Cable mode - my gateway to the internet. I am able to ping the D Link IP address from the cisco router and also the internet. The D link using subnet. I configured other subnets behind the cisco router. I managed to use NAT to be able to ping the D Link router but could never be able to ping anythin on the internet. All my other subnets behind the cisco

    ... Continue reading in our forum

  2. Good question, there are quite some differences.

    The reflexive access-list can match on L2-L4 attributes, just like the normal extended access-list. It’s quite “dumb” since the only thing it does is track the outgoing traffic and creating an access-list entry automatically that reverses the source / destination IP and port numbers. This works for traffic like HTTP but not for applications with dynamic port numbers.

    CBAC is a lot smarter, it can match up to L7 attributes and supports a wide range of protocols. The reflexive access-list and CBAC are both configur

    ... Continue reading in our forum

  3. Hi Mehul,

    If I understand well your question, you want to know the main difference between the Extended ACL and the Reflexive ACL.

    Extended ACLs control traffic by permitting or denying packets based on source & destination IP, protocol and destination port. They can be numbered or named access-lists, and you can assign them in the inbound or the outbound of router interfaces. When the packet arrive to the router and there is an Extended ACL applied, it will be checked entry by entry. In case it match an entry in the ACL, then an action will happen (deny or per

    ... Continue reading in our forum

  4. Hello Chris

    Yes, it would be correct to state that simple ACLs on Cisco IOS devices are not stateful. However, there are various degrees of “statefullness” if you allow the expression. You can use simple access lists with the “established” keyword to add a degree of statefulness as this filters TCP packets based on whether the ACK or RST bits are set. This will indicate if the packet is not the first in the session, and therefore, that the packet belongs to an established session. Reflexive ACLs provide a more advanced form of session filtering which can be

    ... Continue reading in our forum

  5. Hello Giovanni

    The main difference is that the establish attribute is used to filter traffic based on session. This means that it can only filter TCP sessions, while reflexive access lists can filter TCP, UDP, ICMP, and any traffic that traverses a device.

    I hope this has been helpful!


15 more replies! Ask a question or join the discussion by visiting our Community Forum