Today I was surprised to hear from someone who just took one of the CCNP Security exams that they still test for Reflexive access-lists - what a nostalgy. I was sure it has long been ousted by ip inspect and Zone Based Firewall, but no - it is still tested and still available in the newest IOS images of at least ISR routers. If you, like me, are rusty on its config, here it is how to allow from inside outbound everything:
ip access-list extended OUTBOUND
permit tcp any any reflect MIRROR
permit udp any any reflect MIRROR
permit icmp any any reflect MIRROR
Then the access-list to put on external facing interface inbound:
ip access-list extended INBOUND
And finally apply it:
(config)# interface FastEthernet 0/1
(config-if)# ip access-group OUTBOUND out
(config-if)# ip access-group INBOUND in
Do not forget of course its drawbacks: - It does not work well with complex protocols like FTP - It is not exactly stateful - what happens is that router dynamically adds non-stateful entries in INBOUND access list that mirror the passing traffic, expiring it after some time. In doing so Cisco router looks only on destination/source IP address and port.
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.