Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
2
Replies

ACL

Go to solution
amolak_cisco
Level 1
Level 1

‎06-25-2007 03:17 AM - edited ‎03-03-2019 05:35 PM

Hi Guys,

Is there any difference between below acl entries?

access-list 110 permit tcp host 1.1.1.1 gt 1023 host 2.2.2.2 eq 20 established

access-list 110 permit tcp host 1.1.1.1 host 2.2.2.2 eq 21

access-list 110 permit tcp host 1.1.1.1 eq 20 host 2.2.2.2 gt 1023

OR

access-list 110 permit tcp host 1.1.1.1 gt 1023 host 2.2.2.2 eq 20

access-list 110 permit tcp host 1.1.1.1 host 2.2.2.2 eq 21

access-list 110 permit tcp host 1.1.1.1 eq 20 host 2.2.2.2 gt 1023

I just want to know :-

Will the word "established" make any difference in above ACL behaviour?

Thanks

Amolak

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-25-2007 06:03 AM

Amolak

Yes the established keyword does make a difference in the ACL behavior. If you permit tcp ... established, then the ACL will permit tcp packets from outside sources to pass through only if the packet has the tcp ACK bit set (which means that this is a response to a TCP session which was initiated from inside). If the ACL has permit tcp ... without specifying established then it will permit all TCP packets from that address. This has the effect of allowing the outside host to initiate TCP connections into your network, but specifying established will not allow the remote host to initiate a TCP session but will allow it to respond to sessions initiated from inside.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Pavel Bykov
Level 5
Level 5
In response to Richard Burts

‎06-25-2007 06:19 AM

Yes, just like Rick said.

If you want FTP to function correctly the second ACL should be used.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-25-2007 06:03 AM

Amolak

Yes the established keyword does make a difference in the ACL behavior. If you permit tcp ... established, then the ACL will permit tcp packets from outside sources to pass through only if the packet has the tcp ACK bit set (which means that this is a response to a TCP session which was initiated from inside). If the ACL has permit tcp ... without specifying established then it will permit all TCP packets from that address. This has the effect of allowing the outside host to initiate TCP connections into your network, but specifying established will not allow the remote host to initiate a TCP session but will allow it to respond to sessions initiated from inside.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Pavel Bykov
Level 5
Level 5
In response to Richard Burts

‎06-25-2007 06:19 AM

Yes, just like Rick said.

If you want FTP to function correctly the second ACL should be used.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card