Reflexive Access List

hi, great website ! i’m still learning basic guides cisco autodidact. i hope i can catch this section soon.

Thanks Rene…

This was a very helpful explanation to me. I´m a regular visitor of and didn´t know about this one; congrats man you´re awesome!


I have been working on access-lists and NAT on my little lab. I have a Cisco router connected to a D Link router that is in turn connected to a vonage router which in turn connects to a Cable mode - my gateway to the internet. I am able to ping the D Link IP address from the cisco router and also the internet. The D link using subnet. I configured other subnets behind the cisco router. I managed to use NAT to be able to ping the D Link router but could never be able to ping anythin on the internet. All my other subnets behind the cisco router are NAT inside. The link between the D Link and the router as NAT outside.

What do I need to do to be able to ping beyond the D-Link Router? I can ping internet addresses from the Cisco router but nothing beyond the D-Link from anything behind the cisco router.

I worked with it so long until I started my working translations.


I have 1 question for you !
what different between Reflexive ACL, CBAC and Zone Base Access List ?

Good question, there are quite some differences.

The reflexive access-list can match on L2-L4 attributes, just like the normal extended access-list. It’s quite “dumb” since the only thing it does is track the outgoing traffic and creating an access-list entry automatically that reverses the source / destination IP and port numbers. This works for traffic like HTTP but not for applications with dynamic port numbers.

CBAC is a lot smarter, it can match up to L7 attributes and supports a wide range of protocols. The reflexive access-list and CBAC are both configured on the interface level.

The Zone based firewall is like CBAC on steroids, it has more features and instead of configuring it on the interfaces, we create zones and zone-pairs. Interfaces are assigned to zones and security policies are assigned to zone-pairs. This is a much more scalable method.

Great Explanation abt Cisco Refelexive Acls. But how do RACLs behave in case of FTP connections.Please tell.

Hi Nabeel,

The short answer…not very well. Reflexive ACLs just create a temporary permit statement that is the opposite of the outgoing traffic. If you want to use this you’ll need to use passive FTP.

If you only can use active FTP, take a look at CBAC.


Hi Rene,
Very useful configuration , using Reflexive ACL we can block any traffic originating from Internet and the same way we can access any Servers in the internet from our local intranet.
From diagram, I think reflexive ACL confiured on R2’s Fa0/1 . Please correct me If I am not correct.
Temporary access-list is going to be huge if the traffic is more , and it may not allow us to create new access-list .
any limitation ?


Hi Srini,

The idea behind reflexive access-lists is good but today it has been obsoleted by CBAC or ZBF. One of the issues with this solution is that it doesn’t work for applications where the ports might change (active FTP for example). There’s probably also a limit for the number of entries it can create, not sure what it is and it might be different for each platform.

I just fixed the interface number btw, thanks.


Hi Rene,

May be a silly question but, could you please explain a difference between generic extended ACL and reflexive ACL, especially from pin hole perspective?

Many Thanks,

Hi Mehul,

If I understand well your question, you want to know the main difference between the Extended ACL and the Reflexive ACL.

Extended ACLs control traffic by permitting or denying packets based on source & destination IP, protocol and destination port. They can be numbered or named access-lists, and you can assign them in the inbound or the outbound of router interfaces. When the packet arrive to the router and there is an Extended ACL applied, it will be checked entry by entry. In case it match an entry in the ACL, then an action will happen (deny or permit depending on the matched ACL entry ). In case of no matching, then the packet will be discarded because there is an implicit deny by end of the ACL.

In Rene’s example for this lesson, if you apply an extended ACL to deny traffic from R3 to R2, then R1 will not be able to reach R3 because the return path from R3 to R1 will be blocked by the Access list on R2. For this reason, we need a Reflexive ACL as explained in this lesson to have a hole inside the ACL and at the same time to keep protecting our internal network. By configuring the Reflexive ACL, a temporary Access list will be created allowing the return path of the traffic. This will have a duration of 270 seconds. Any other traffic from R3 to R1 will remain blocked.

I hope I could answer your question.

1 Like

Do relexive access lists imply that by default, Cisco’s ACL’s are not stateful?

Hello Chris

Yes, it would be correct to state that simple ACLs on Cisco IOS devices are not stateful. However, there are various degrees of “statefullness” if you allow the expression. You can use simple access lists with the “established” keyword to add a degree of statefulness as this filters TCP packets based on whether the ACK or RST bits are set. This will indicate if the packet is not the first in the session, and therefore, that the packet belongs to an established session. Reflexive ACLs provide a more advanced form of session filtering which can be considered more stateful.

I hope this has been helpful!


1 Like

What is the difference between a reflexive ACL and normal extended access-list with established attribute?
When I should use the first one instead the other one?
Thank you

1 Like

Hello Giovanni

The main difference is that the establish attribute is used to filter traffic based on session. This means that it can only filter TCP sessions, while reflexive access lists can filter TCP, UDP, ICMP, and any traffic that traverses a device.

I hope this has been helpful!


1 Like

Hi laz ,

Thanks for giving your precious time , now i understand ACL Bit more , i have one doubt

A) How can we decided that in what condition reflexive ACL should be implement ?




Hello Shivam

The lesson at the beginning describes a situation in which you would want to employ a reflexive access list. It involves an access list that blocks traffic, but will automatically allow return traffic from a communication that takes place across the router.

The purpose of this lesson is to examine how reflexive access lists work. Such access lists are usually placed in the edge router of the enterprise network, and in this topology, R2 represents this edge router. You could consider R1 to be the internal network of the enterprise, and R3 to be the ISP router. The access list could have been applied to R3, and of course it would work, but assuming the topology mimics an enterprise network, the ISP would be in control of this router.

I don’t see that anywhere in the lesson. Can you clarify your question?

I hope this has been helpful!


Hi team,

I would like to get help with this configurations:

R2(config)#ip access-list extended OUTBOUND
R2(config-ext-nacl)#permit ip any any reflect EVALUATE

R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group OUTBOUND out

R2(config)#ip access-list extended INBOUND
R2(config-ext-nacl)#evaluate EVALUATE

R2(config)#interface fastEthernet 0/1       
R2(config-if)#ip access-group INBOUND in

Is it correct, that we have to add the two ACL on the same port and with different directions?

Hello Vanilson

Yes, your configuration appears to be correct. The two ACLs must be configured on the same port with different directions. The outbound direction will permit everything, but will create a temporary and dynamic access list called EVALUATE. The inbound direction assigns that temporary access list to the INBOUND ACL, which is used to allow or deny traffic.

I hope this has been helpful!