Solved: Is "permit tcp any any established" assumed on ASA/PIX?

thomasdzubin · ‎01-30-2008

When configuring IOS-based routers, I've been normally putting in an incoming access-list on the WAN port: "access-list whatever permit tcp any any established"

I noticed that I don't have to have to do that on the ASA/PIX... am I missing something or is the "established" connection assumed by default on a firewall appliance?

Collin Clark · ‎01-30-2008

The ASA tracks the state of connections whereas a router does not (unless you're using CBAC). The established keyword is like making the connection stateful, although not in a very elegant manner.

HTH

View solution in original post

Collin Clark · ‎01-30-2008

The ASA tracks the state of connections whereas a router does not (unless you're using CBAC). The established keyword is like making the connection stateful, although not in a very elegant manner.

HTH

srue · ‎01-30-2008

the established keyword allows *all* tcp packets in with the special bits set, syn/fin/rst, regardless of whether or not they are packets that are part of an existing conversation.

If you are using an IOS device, you need to use either CBAC or reflexive acl's to get true (or semi-true) stateful properties, that you automatically get with a firewall device.