01-30-2008 08:31 AM - edited 03-11-2019 04:56 AM
When configuring IOS-based routers, I've been normally putting in an incoming access-list on the WAN port: "access-list whatever permit tcp any any established"
I noticed that I don't have to have to do that on the ASA/PIX... am I missing something or is the "established" connection assumed by default on a firewall appliance?
Solved! Go to Solution.
01-30-2008 08:46 AM
The ASA tracks the state of connections whereas a router does not (unless you're using CBAC). The established keyword is like making the connection stateful, although not in a very elegant manner.
HTH
01-30-2008 08:46 AM
The ASA tracks the state of connections whereas a router does not (unless you're using CBAC). The established keyword is like making the connection stateful, although not in a very elegant manner.
HTH
01-30-2008 10:42 AM
the established keyword allows *all* tcp packets in with the special bits set, syn/fin/rst, regardless of whether or not they are packets that are part of an existing conversation.
If you are using an IOS device, you need to use either CBAC or reflexive acl's to get true (or semi-true) stateful properties, that you automatically get with a firewall device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide