Simple ACL question

Unanswered Question
Mar 21st, 2008
User Badges:

Hi Friend

my question is ACL working in unidirection or bidirection ? if it working in unidirection , how return traffic is allowed ?

if it is unidirection and if i using TCP as protocol how ACK signal allowed ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
meballard Fri, 03/21/2008 - 09:30
User Badges:

ACLs operate in one direction only, based on the command you use to apply it to an interface (ip access-group ACLName/Number in/out), where in refers to requests coming to that interface from devices on the same subnet that the interface is on, and out refers to packets that interface sends out to it's subnet.

If you only setup an ACL in only one direction, then all traffic is automatically allowed in the other direction. If you setup an ACL in both direction, then you have to take into account the traffic in both directions (this is very different from a firewall). ACLs don't have any inherent way to track the state of connections, which is what firewalls do (although there are some ways of setting up dynamic ACLs, although I have never done them).

The easiest to to do this for TCP connections is the established keyboard on the ACL for the return direction, which checks part of the TCP header to see if the packets is set as being an established connection, and processes the packets based on that (although there it can be spoofed, but it dramatically simplifies the ACL for the return direction).

Note that UDP and I believe most other protocols do not have the established concept, so they have to be managed manually.

Joseph W. Doherty Fri, 03/21/2008 - 10:10
User Badges:
  • Super Bronze, 10000 points or more

Applied ACLs normally examine traffic flowing in one single direction, but they can look at bidirectional attributes, e.g. source and destination. An extended ACL, such as:

access-list 105 permit tcp any any ack

would permit TCP packets containing the ACK flag.

I suspect, however, you might have in mind how you allow TCP traffic that's in response to outbound traffic. If so, one common method is an ACL that examines return traffic and permits TCP packets with the established flag, e.g.

access-list 105 permit tcp any any established

vinodbharwani Fri, 03/21/2008 - 12:44
User Badges:

Hi Joseph

That means , when person is using TCP extended access by default person have to add "tcp any any" in access list at the end of ACL.


Joseph W. Doherty Fri, 03/21/2008 - 17:23
User Badges:
  • Super Bronze, 10000 points or more

Depends what you're trying to accomplish. Since all ACLs have an implicit deny all at the end, it's up to you to determine whether you'll need a "tcp any any", permit or deny.

lamav Fri, 03/21/2008 - 18:46
User Badges:
  • Blue, 1500 points or more


It sounds like you're looking at an ACL config on a router that is only filtering traffic in one direction and leaving you to wonder how the return traffic is allowed in.

Besides what has been pointed out so far, there is such a thing as a stateful access list, like the access lists you configure on a router running a firewall feature set, or perhaps a firewall.

In those cases, TCP traffic generated on the inside of the network -- the trusted side -- and heading out to the untrusted side, has its return traffic automatically allowed back in. This is called being stateful. A temporary/virtual ACL is created for the return traffic by the IOS to allow the traffic back in.

Just a little extra something to think about.


vinodbharwani Sat, 03/22/2008 - 03:31
User Badges:

Hi Victor

that mean in firewall case return traffic automatically allowed because it is stateful firewall

while in ACL router's case, i need to implement return traffic's ACL in my router

Please correct me if i am wrong



This Discussion