extended acl and" established" option

Answered Question
Feb 20th, 2009

Hi every body!

Please consider the following:

r1(config)# access-list 110 permit tcp any any established.

r1(config) int e0

ip access-group 110 out

r1 e0-------------h1

where r1 is router

h1 is host(winxp)

Now when i try to telnet into r1 from h1, I could not get through. Why? because router should allow telnet because" established" option will cause router to check if the ack bit is set. When h1 initiates a tcp connection with r1, r1 sends the reply with ack bit set,thus connection should be allowed but in my case it was not.

Any suggestion?

thanks a lot and have a nice weekend!

I have this problem too.
0 votes
Correct Answer by Richard Burts about 5 years 1 month ago

Sarah

My understanding of the documentation and my experience with implementing access lists with the established parameter is that any packet with the ack OR with the reset bit set will be permitted by the access list. So in your example if the packet has the reset bit but not the ack bit set then the access list would permit that packet.

HTH

Rick

Correct Answer by Richard Burts about 5 years 1 month ago

Sarah

In re-reading my answer I realize that i was not clear about the reason when I said that it would make no sense to apply the access list outbound when the situation is about a host that is locally connected. The reason for this is that an outbound access list does not filter traffic that is generated by the router itself. So it the host telnets to the router, then the router responses go back no matter what an access list might say.

If the host were telnetting to some device on the other side of the router and the host telnet traffic were going through the router then perhaps the access list with established might make more sense.

HTH

Rick

Correct Answer by Richard Burts about 5 years 1 month ago

Sarah

The established keyword is almost always used on an access list applied inbound and not outbound as in your question. And especially when the question is about a host that is directly connected to the router, it makes no sense to configure an access list with the established parameter and apply it outbound.

If the telnet from the host to the router did not work, it would have been for some other reason than the access list. Is there perhaps an access-class applied to the line vty that controls who can do remote access to the router? Are the line vty perhaps configured to accept SSH but not telnet access?

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
Richard Burts Fri, 02/20/2009 - 14:33

Sarah

The established keyword is almost always used on an access list applied inbound and not outbound as in your question. And especially when the question is about a host that is directly connected to the router, it makes no sense to configure an access list with the established parameter and apply it outbound.

If the telnet from the host to the router did not work, it would have been for some other reason than the access list. Is there perhaps an access-class applied to the line vty that controls who can do remote access to the router? Are the line vty perhaps configured to accept SSH but not telnet access?

HTH

Rick

Correct Answer
Richard Burts Fri, 02/20/2009 - 14:36

Sarah

In re-reading my answer I realize that i was not clear about the reason when I said that it would make no sense to apply the access list outbound when the situation is about a host that is locally connected. The reason for this is that an outbound access list does not filter traffic that is generated by the router itself. So it the host telnets to the router, then the router responses go back no matter what an access list might say.

If the host were telnetting to some device on the other side of the router and the host telnet traffic were going through the router then perhaps the access list with established might make more sense.

HTH

Rick

sarahr202 Fri, 02/20/2009 - 16:20

Thanks for your reply Rick!

I did find out that access lists do not apply to locally generated packets.

Based on that , yes it does not matter whether the access list is applied inbound or outbound, router simply does not check the access list for locally generated packets.

When we use " established" option, what controls bits are also checked in tcp header, for example book says ack bit or reset bit. Let say we allow the telnet connection on router r1:

access-list 110 permit tcp any any established.

int e0

ip access-group 110 in

Now if r1 receives a packet with reset bit set and ack bit not set in tcp header, will the packet be permitted by r1?

thanks a lot!

Correct Answer
Richard Burts Fri, 02/20/2009 - 18:46

Sarah

My understanding of the documentation and my experience with implementing access lists with the established parameter is that any packet with the ack OR with the reset bit set will be permitted by the access list. So in your example if the packet has the reset bit but not the ack bit set then the access list would permit that packet.

HTH

Rick

Actions

Login or Register to take actions

This Discussion

Posted February 20, 2009 at 2:10 PM
Stats:
Replies:5 Avg. Rating:5
Views:388 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard