Reflexive ACLs allow IP packets to be filtered based on upper-layer session information.
Reflexive ACLs provide a level of security against spoofing and certain denial of service (DoS) attacks.
Reflexive ACLs are harder to spoof because more criteria must match in the packet for example, source and destination addresses and port numbers, not just acknowledgment (ACK) and reset (RST) bits.
The following configuration makes the router keep track of the traffic initiated from inside.
ip access-list extended OUTBOUND permit icmp 220.127.116.11 0.0.0.255 18.104.22.168 0.0.0.255 permit tcp 22.214.171.124 0.0.0.255 126.96.36.199 0.0.0.255 reflect myfw
In the next configuration, we create an inbound policy, now the router will check incoming traffic to see if it was initiated from inside an the reflexive ACL part of the OUTBOUND ACL, called MYFE, to the INBOUND ACL.
ip access-list extended INBOUND permit icmp 188.8.131.52 0.0.0.255 184.108.40.206 0.0.0.255 evaluate myfw
Applies both an inbound and an outbound ACL to the outgoing interface.
Router(config)#interface Ethernet0/1 Router(config-if)#ip address 172.16.1.2 255.255.255.0 Router(config-if)#ip access-group INBOUND in Router(config-if)#ip access-group OUTBOUND out