I currently have an ACL in my 6500 that allows established TCP connections to come back into my network. Something like 'permit tcp any host 10.0.0.1 established'. Is it possible to do something similar with UDP? I need to allow a machine on my inside network to communicate with a time server over UDP port 123, but I don't see an 'established' option for UDP ACLs.
You might look at reflexive access lists. Beware ending up CPU switching the traffic though. I think they are supposed to be hardware switched but I seem to recall doubting that in some case or other. Switching comments apply to 6500.
The established method cannot be used on UDP since it uses the TCP flags. It blocks packets with SYN-set and ACK-not-set. This is only the case for the first packet in a TCP session so no sessions can be initiated through an "established" ACL.