- Bronze, 100 points or more
Hi every body!
Please consider the following:
r1(config)# access-list 110 permit tcp any any established.
r1(config) int e0
ip access-group 110 out
where r1 is router
h1 is host(winxp)
Now when i try to telnet into r1 from h1, I could not get through. Why? because router should allow telnet because" established" option will cause router to check if the ack bit is set. When h1 initiates a tcp connection with r1, r1 sends the reply with ack bit set,thus connection should be allowed but in my case it was not.
thanks a lot and have a nice weekend!
My understanding of the documentation and my experience with implementing access lists with the established parameter is that any packet with the ack OR with the reset bit set will be permitted by the access list. So in your example if the packet has the reset bit but not the ack bit set then the access list would permit that packet.
In re-reading my answer I realize that i was not clear about the reason when I said that it would make no sense to apply the access list outbound when the situation is about a host that is locally connected. The reason for this is that an outbound access list does not filter traffic that is generated by the router itself. So it the host telnets to the router, then the router responses go back no matter what an access list might say.
If the host were telnetting to some device on the other side of the router and the host telnet traffic were going through the router then perhaps the access list with established might make more sense.
The established keyword is almost always used on an access list applied inbound and not outbound as in your question. And especially when the question is about a host that is directly connected to the router, it makes no sense to configure an access list with the established parameter and apply it outbound.
If the telnet from the host to the router did not work, it would have been for some other reason than the access list. Is there perhaps an access-class applied to the line vty that controls who can do remote access to the router? Are the line vty perhaps configured to accept SSH but not telnet access?