Jon Marshall Fri, 09/21/2007 - 05:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


A standard access-list on a router is not stateful whereas a firewall like the pix does keep state ie.

when a conversation between a two machines is setup with a firewall in between the traffic path the firewall keeps track of not just the IP address/port number but also the TCP flags that are used in the packet.

So if i initiate a connection to a server using telnet my intial packet has

Source IP address: (my client)

source port: 23467 ( random generated port)

destination IP address: (telnet server)

destination port: 23 ( telnet port )


The firewall will enter this into it's state table.

Now when the server responds

source IP address:

source port: 23

destination IP address:

destination port: 23467


The firewall receives this packet, checks it's state table and realises this is a return packet to the initial packet sent out by the client.

So if the above packet from the server was sent to the client, but the client had not actually sent a packet first the firewall would drop the packet because it has no entry in it's state table.

An router access-list does not keep state of the connection in the same way. It merely checks the packet against it's access-list and permits or denies it but it has no concept of "return" traffic or a packet being part of an ongoing communication.




This Discussion