Access List

Standard Access List
Examples:
internetrouter(config)#access-list 2 permit 172.16.1.2
internetrouter(config)#access-list 2 permit 172.16.1.10
internetrouter(config)#access-list 2 permit 172.16.1.11

internetrouter#show access-lists
Standard IP access list 2
    30 permit 172.16.1.11
    20 permit 172.16.1.10
    10 permit 172.16.1.2

internetrouter(config)#ip access-list standard 2
internetrouter(config-std-nacl)#25 per 172.16.1.7
internetrouter(config-std-nacl)#15 per 172.16.1.16

internetrouter#show access-lists
Standard IP access list 2
    15 permit 172.16.1.16
    30 permit 172.16.1.11
    20 permit 172.16.1.10
    25 permit 172.16.1.7
    10 permit 172.16.1.2

Extended ACL

Examples:
Router(config)#access-list 101 permit tcp any any
Router(config)#access-list 101 permit udp any any
Router(config)#access-list 101 permit icmp any any
Router(config)#exit

Router#show access-list
Extended IP access list 101
    10 permit tcp any any
    20 permit udp any any
    30 permit icmp any any

Router(config)#ip access-list extended 101
Router(config-ext-nacl)#5 deny tcp any any eq telnet
Router(config-ext-nacl)#exit
Router(config)#exit

Router#show access-list
Extended IP access list 101
    5 deny tcp any any eq telnet
    10 permit tcp any any
    20 permit udp any any
    30 permit icmp any any
Router#

Named extended Access List:
router(config)# ip access-list extended test
router(config-ext-nacl)# permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 
router(config-ext-nacl)# permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
router(config-ext-nacl)# permit udp host 10.1.1.2 host 172.16.1.1
router(config-ext-nacl)# permit icmp host 10.1.1.1 host 172.16.1.1
 
Dynamic ACLs (Lock-and-Key)

Dynamic ACLs depend on Telnet connectivity, authentication (local or remote), and extended ACLs. Lock-and-key configuration starts with the application of an extended ACL to block traffic through the router. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL. This permits traffic for
a particular period; idle and absolute timeouts are possible.
Use dynamic ACLs when you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall. With lock-and-key, you can enable access to the remote host only for the desired set of local hosts. Lock-and-key requires the users to authenticate through a TACACS+ server, or other security server, before it allows their hosts to access the remote hosts.
username test password 0 test
!— Ten (minutes) is the idle timeout.
username test autocommand access-enable host timeout 10

interface Ethernet0/0
  ip address 10.1.1.1 255.255.255.0
  ip access-group 101 in

access-list 101 permit tcp any host 10.1.1.1 eq telnet
!— 15 (minutes) is the absolute timeout.
access-list 101 dynamic testlist timeout 15 permit ip 10.1.1.0 0.0.0.255        172.16.1.0 0.0.0.255

line vty 0 4
login local

Reflexive ACLs:

They are generally used to allow outbound traffic and limit inbound traffic in response to sessions that originate from a network inside the router. Reflexive ACLs contain only temporary entries. These entries are automatically created when a new IP session begins, for example, with an outbound packet, and the entries are automatically removed when the session ends. Reflexive ACLs are not applied directly to an interface but are “nested” in an extended named IP ACL that is applied to the interface.
ip reflexive-list timeout 120
   
interface Ethernet0/1
  ip address 172.16.1.2 255.255.255.0
  ip access-group inboundfilters in
  ip access-group outboundfilters out

ip access-list extended inboundfilters
  permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
  evaluate tcptraffic

!— This ties the reflexive ACL part of the outboundfilters ACL,
!— called tcptraffic, to the inboundfilters ACL.
ip access-list extended outboundfilters
  permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
  permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic

Reference URL:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#lockandkey