ACL

Answered Question
Jun 25th, 2007

Hi Guys,

Is there any difference between below acl entries?

access-list 110 permit tcp host 1.1.1.1 gt 1023 host 2.2.2.2 eq 20 established

access-list 110 permit tcp host 1.1.1.1 host 2.2.2.2 eq 21

access-list 110 permit tcp host 1.1.1.1 eq 20 host 2.2.2.2 gt 1023

OR

access-list 110 permit tcp host 1.1.1.1 gt 1023 host 2.2.2.2 eq 20

access-list 110 permit tcp host 1.1.1.1 host 2.2.2.2 eq 21

access-list 110 permit tcp host 1.1.1.1 eq 20 host 2.2.2.2 gt 1023

I just want to know :-

Will the word "established" make any difference in above ACL behaviour?

Thanks

Amolak

I have this problem too.
0 votes
Correct Answer by Pavel Bykov about 9 years 6 months ago

Yes, just like Rick said.

If you want FTP to function correctly the second ACL should be used.

Correct Answer by Richard Burts about 9 years 6 months ago

Amolak

Yes the established keyword does make a difference in the ACL behavior. If you permit tcp ... established, then the ACL will permit tcp packets from outside sources to pass through only if the packet has the tcp ACK bit set (which means that this is a response to a TCP session which was initiated from inside). If the ACL has permit tcp ... without specifying established then it will permit all TCP packets from that address. This has the effect of allowing the outside host to initiate TCP connections into your network, but specifying established will not allow the remote host to initiate a TCP session but will allow it to respond to sessions initiated from inside.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Richard Burts Mon, 06/25/2007 - 06:03

Amolak

Yes the established keyword does make a difference in the ACL behavior. If you permit tcp ... established, then the ACL will permit tcp packets from outside sources to pass through only if the packet has the tcp ACK bit set (which means that this is a response to a TCP session which was initiated from inside). If the ACL has permit tcp ... without specifying established then it will permit all TCP packets from that address. This has the effect of allowing the outside host to initiate TCP connections into your network, but specifying established will not allow the remote host to initiate a TCP session but will allow it to respond to sessions initiated from inside.

HTH

Rick

Correct Answer
Pavel Bykov Mon, 06/25/2007 - 06:19

Yes, just like Rick said.

If you want FTP to function correctly the second ACL should be used.

Actions

This Discussion