After reflective ACL is configured, the request packets initiated by Internet users cannot enter the internal network, so they cannot access intranet users.
When an intranet user sends a request message to a user on the Internet, the device generates a reflective ACL entry based on the source IP address, destination IP address, and port number in the packet. Then the packets sent from the Internet can enter the internal network.
The following figure shows the processing after the source address, destination address, and port number are configured in an ACL.
Advanced ACL 3333, 1 rule