Is "permit tcp any any established" assumed on ASA/PIX?

Answered Question
Jan 30th, 2008

When configuring IOS-based routers, I've been normally putting in an incoming access-list on the WAN port: "access-list whatever permit tcp any any established"

I noticed that I don't have to have to do that on the ASA/PIX... am I missing something or is the "established" connection assumed by default on a firewall appliance?

Correct Answer by Collin Clark about 9 years 2 weeks ago

The ASA tracks the state of connections whereas a router does not (unless you're using CBAC). The established keyword is like making the connection stateful, although not in a very elegant manner.

HTH

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Collin Clark Wed, 01/30/2008 - 08:46

The ASA tracks the state of connections whereas a router does not (unless you're using CBAC). The established keyword is like making the connection stateful, although not in a very elegant manner.

HTH

srue Wed, 01/30/2008 - 10:42

the established keyword allows *all* tcp packets in with the special bits set, syn/fin/rst, regardless of whether or not they are packets that are part of an existing conversation.

If you are using an IOS device, you need to use either CBAC or reflexive acl's to get true (or semi-true) stateful properties, that you automatically get with a firewall device.

Actions

This Discussion