10.4 Session Filtering
10.4.4 Restriction on using reflexive access lists
Reflexive access lists do not work with some applications that use port numbers that change during a session. For example, if the port numbers for a return packet are different from the originating packet, the return packet will be denied, even if the packet is actually part of the same session. FTP is an example of an application with changing port numbers. When you initiate an FTP session, that conversation typically uses TCP port 21 to send control information, including the three-way handshake and username/password negotiation.

However, when the connection is established, data is actually sent on a different port, typically TCP port 20. If an outside FTP server sends the reply to the first packet on port 20, the reflexive access list will not let it through because it has not seen an inside host use that port. From the reflexive access list's point of view, the stream on port 20 is a new and uninvited conversation. However, if the FTP client operates in passive mode, it can be the first host to send a packet on the data port. Thus, you must configure your FTP clients for passive FTP so that they will originate the data port transfer, which in turn will create the appropriate reflexive access list entry.