10.4 Session Filtering
10.4.5 Configuring reflexive access lists
By applying a reflexive list to an external interface (the interface that connects to the outside world), you can prevent IP traffic from entering the internal network, unless the traffic is part of a session already established. The following are the steps in configuring a reflexive access list:
  1. Define the extended named access list that will be applied to the outbound interface. Outbound traffic is traffic originating from your local hosts, which is leaving your network to outside destinations. This traffic will be monitored by the router and used to create reflexive access lists. In a sense, this traffic's "reflection" will be allowed to enter your local network as invited traffic. Use the following syntax to create this list:

    router(config)# ip access-list extended extended-list-name
  2. Configure the extended named access list to include an entry to reflect traffic. The reflect name parameters create the reflexive list and assign it a name. The name will be used later in this configuration. Use the following syntax:

    router(config-ext-nacl)# permit ip-protocol any any reflect name [timeout seconds]
  3. Apply the outbound list to the outbound interface:

    router(config-if)# ip access-group extended-list-name out
  4. Define the extended named access list that will filter incoming traffic. This list will include an entry to evaluate incoming traffic (traffic coming in from the outside world) against the reflexive list:

    router(config)# ip access-list extended extended-list-name
  5. Configure this extended named access list to include the entry to evaluate traffic against the reflexive list's assigned name:

    router(config-ext-nacl)# evaluate name

    Note that this entry is nested inside the extended list. Other
    permit or deny statements can be used before matching the evaluate statement. However, if a packet does match a preceding statement, it will not be tested for a match against any of the other entries, including the evaluate statement.

  6. Apply the inbound list to the external interface for incoming traffic:

    router(config-if)# ip access-group extended-list-name in
  7. (Optional) Specify a global timeout value for dynamic reflexive list entries:

    router(config)# ip reflexive-list timeout seconds

Reflexive access list entries expire after no packets in the session have been detected for a specified length of time (the timeout period).  If you do not specify the timeout for a given reflexive access list, the list will use the global timeout value instead. The global timeout value is 300 seconds, by default, but you can change the global timeout to a different value at any time.