Cisco access-list

chris.lau · ‎01-31-2010

Hello there,

Can I know what is this ACL meant? What is the "established" command for in this ACL?

access-list 121 permit tcp host 192.168.1.1 host 172.2.1.1 established

Thank you

vinayachandran · ‎01-31-2010

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST control bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

Transmission Control Protocol (TCP)

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [time-range time-range-name] [fragments] [log [word] | log-input [word]]

Ganesh Hariharan · ‎01-31-2010

Hello there, 
Can I know what is this ACL meant? What is the "established" command for in this ACL?
access-list 121 permit tcp host 192.168.1.1 host 172.2.1.1 established
Thank you

Hi,

Access control list in cisco world means basic traffic filtering capabilities with access control lists (also referred to as access lists). Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on.) to filter those protocols' packets as the packets pass through a router.

and the established key word has some basic defination while applied in the ACL after a TCP session transitions to the "ESTABLISHED" state after the traditional three-way handshake, all subsequent TCP segments that use this session will have at least the ACK bit set. The "established" keyword on an ACL prevents pre-existing TCP sessions that are built across the router to be torn down when the ACL is applied to an interface.

While the "established" keyword *doesn't* turn your router into a stateful firewall, it will analyze the ACK bit and if set, this traffic will pass through the router, irrespective of whether an ACL entry further down in the list might deny the traffic.

Hope that helps out your query !!

If helpful do rate the valuable post.

Ganesh.H

Richard Burts · ‎02-01-2010

Chris

Most of the time an access list which contains the established keyword on an entry is applied inbound on an interface (rather than outbound). Is this the case with your access list?

It may be easier to explain what the established keyword does by starting with how it is frequently used. There may be a situation where you want some host connected to your router (or perhaps many hosts connected to your router) to initiate TCP sessions to some remote host (or perhaps many remote hosts). To do this you must permit any TCP packet originated from your host and you must permit anyTCP packet from the remote host that is a response to a packet sent from your host (a response in an established TCP session). But you do not want to permit a TCP packet from the remote host to your host that is not a response to something initiated from your host. So how do you differentiate a TCP packet that is a reponse from a TCP packets that is not a response? The answer is that a response packet will have the TCP ACK bit turned on (or the RST bit turned on) and a packet that is not a response will not have the ACK (or RST) bit turned on. So the established keyword in the access list identifies TCP packets which have the ACK or RST bits turned on.

So using the established keyword in the access list does help you to permit any TCP sessions initiated from within your network (and any packets in response to the originating host) but does not permit TCP packets from outside that would initiate TCP sessions.

HTH

Rick

HTH

Rick