While a reflexive acl theoretically can prevent ack tunneling how would one implement that on the Pix firewalls? Is it more appropriate to apply reflexive acl's on the interior routers? This question is in regards to the 'newly released Windows 2000 ...