ACL

Answered Question
Jun 25th, 2007
User Badges:

Hi Guys,


Is there any difference between below acl entries?


access-list 110 permit tcp host 1.1.1.1 gt 1023 host 2.2.2.2 eq 20 established

access-list 110 permit tcp host 1.1.1.1 host 2.2.2.2 eq 21

access-list 110 permit tcp host 1.1.1.1 eq 20 host 2.2.2.2 gt 1023


OR


access-list 110 permit tcp host 1.1.1.1 gt 1023 host 2.2.2.2 eq 20

access-list 110 permit tcp host 1.1.1.1 host 2.2.2.2 eq 21

access-list 110 permit tcp host 1.1.1.1 eq 20 host 2.2.2.2 gt 1023


I just want to know :-

Will the word "established" make any difference in above ACL behaviour?


Thanks

Amolak


Correct Answer by Pavel Bykov about 9 years 11 months ago

Yes, just like Rick said.


If you want FTP to function correctly the second ACL should be used.

Correct Answer by Richard Burts about 9 years 11 months ago

Amolak


Yes the established keyword does make a difference in the ACL behavior. If you permit tcp ... established, then the ACL will permit tcp packets from outside sources to pass through only if the packet has the tcp ACK bit set (which means that this is a response to a TCP session which was initiated from inside). If the ACL has permit tcp ... without specifying established then it will permit all TCP packets from that address. This has the effect of allowing the outside host to initiate TCP connections into your network, but specifying established will not allow the remote host to initiate a TCP session but will allow it to respond to sessions initiated from inside.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Richard Burts Mon, 06/25/2007 - 06:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amolak


Yes the established keyword does make a difference in the ACL behavior. If you permit tcp ... established, then the ACL will permit tcp packets from outside sources to pass through only if the packet has the tcp ACK bit set (which means that this is a response to a TCP session which was initiated from inside). If the ACL has permit tcp ... without specifying established then it will permit all TCP packets from that address. This has the effect of allowing the outside host to initiate TCP connections into your network, but specifying established will not allow the remote host to initiate a TCP session but will allow it to respond to sessions initiated from inside.


HTH


Rick

Correct Answer
Pavel Bykov Mon, 06/25/2007 - 06:19
User Badges:
  • Silver, 250 points or more

Yes, just like Rick said.


If you want FTP to function correctly the second ACL should be used.

Actions

This Discussion