Cisco reflexive access-lists are still on CCNP Security exam

Today I was surprised to hear from someone who just took one of the CCNP Security exams that they still test for Reflexive access-lists - what a nostalgy. I was sure it has long been ousted by ip inspect and Zone Based Firewall, but no - it is still tested and still available in the newest IOS images of at least ISR routers. If you, like me, are rusty on its config, here it is how to allow from inside outbound everything:

ip access-list extended OUTBOUND 
permit tcp any any reflect MIRROR 
permit udp any any reflect MIRROR 
permit icmp any any reflect MIRROR

Then the access-list to put on external facing interface inbound:

ip access-list extended INBOUND 
evaluate MIRROR 

And finally apply it:

#conf t
(config)# interface FastEthernet 0/1 
(config-if)# ip access-group OUTBOUND out 
(config-if)# ip access-group INBOUND in

Do not forget of course its drawbacks: - It does not work well with complex protocols like FTP - It is not exactly stateful - what happens is that router dynamically adds non-stateful entries in INBOUND access list that mirror the passing traffic, expiring it after some time. In doing so Cisco router looks only on destination/source IP address and port.

Follow me on not to miss what I publish on Linkedin, Github, blog, and more.