Reflexive Access List Commands

This chapter describes the function and displays the syntax for reflexive access list commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.

evaluate

To nest a reflexive access list within an access list, use the evaluate access-list configuration command. Use the no form of this command to remove a nested reflexive access list from the access list.

evaluate name
no evaluate name

name	The name of the reflexive access list that you want evaluated for IP traffic entering your internal network. This is the name defined in the permit (reflexive) command.

ip reflexive-list timeout

To specify the length of time that reflexive access list entries will continue to exist when no packets in the session are detected, use the ip reflexive-list timeout global configuration command. Use the no form to reset the timeout period to the default timeout. This command applies only to reflexive access lists that do not already have a specified timeout.

ip reflexive-list timeout seconds
no ip reflexive-list timeout

seconds

Specifies the number of seconds to wait (when no session traffic is being detected) before temporary access list entries expire. Use a positive integer from 0 to 232-1.

permit (reflexive)

To create a reflexive access list and to enable its temporary entries to be automatically generated, use the permit (reflexive) access-list configuration command. Use the no form of this command to delete the reflexive access list (if only one protocol was defined) or to delete protocol entries from the reflexive access list (if multiple protocols defined).

permit protocol any any reflect name [timeout seconds]
no permit protocol any any reflect name

protocol	Name or number of an IP protocol. It can be one of the keywords gre, icmp, ip, ipinip, nos, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip.
name	Specifies the name of the reflexive access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. The name can be up to 64 characters long.
timeout seconds	(Optional) Specifies the number of seconds to wait (when no session traffic is being detected) before entries expire in this reflexive access list. Use a positive integer from 0 to 232-1. If not specified, the number of seconds defaults to the global timeout value.