Cisco IOS has stateful firewall features called reflexive access lists. By using this feature, you can use your Cisco router as a second firewall (the choke point concept in network security terminology) and increase your network security with a layered approach.
You can use an access control list (ACL) to filter one-way traffic, but what about the responding packages. You have to add an incoming ACL, which will only contain sessions started internally. Reflexive ACLs help us at this point.
To use reflexive ACLs
1. You MUST use named access lists
2. You MUST add “reflect samplename” to the end of the permit line.
3. You MUST create a second named access list and add the “evaluate samplename” line for responding traffic.
In our example, we have a proxy server (e.g., Microsoft ISA Server) with the 184.108.40.206 IP address. This server needs access to the internet via HTTP (TCP 80) for web browsing and via DNS (UDP 53) for name resolution.
description Internet connection
ip access-group INBOUND in
ip access-group OUTBOUND out
ip access-list extended OUTBOUND
permit tcp host 220.127.116.11 any reflect PROXYTCP
permit udp host 18.104.22.168 any eq domain reflect PROXYUDP
ip access-list extended INBOUND
We used reflect command to create reverse ACL, and we added it to the inbound ACL with evaluate command.
This feature is a really powerful tool to increase network security, but you should not use it instead of a real firewall for Internet access. It should be used as another security layer.