A reflective access list will inspect return traffic. When you allow outbound traffic, you tell the oubound access-list to 'reflect TEST' (where TEST is the dynamic ACL name. You then tell the inbound access-list to evaluate TEST. This will create dynamic entries into an ACL called TEST that should list allowed return traffic that was initiated behind this router.

Some day I will get this right, but I'm also having trouble with dynamic ACLs (by the way - call them A C L 's, not Ackles..I can't stand that. Do you call a BMW a bamwah?). The StN workbook called for creating dynamic ACLs based on authenticated telnet users. I understand the concept, but it's hard to get the syntax down. Additionally, the 'autocommand access-enable' is a hidden prompt. My router accepts the command, but when I telnet to that router, I get a response saying this is not a valid command. Oh well.

Anyway - just jotting some notes. More to come later..