01-31-2010 09:53 PM - edited 03-04-2019 07:21 AM
Hello there,
Can I know what is this ACL meant? What is the "established" command for in this ACL?
access-list 121 permit tcp host 192.168.1.1 host 172.2.1.1 established
Thank you
01-31-2010 10:13 PM
Transmission Control Protocol (TCP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [time-range time-range-name] [fragments] [log [word] | log-input [word]]
01-31-2010 10:25 PM
Hello there,
Can I know what is this ACL meant? What is the "established" command for in this ACL?
access-list 121 permit tcp host 192.168.1.1 host 172.2.1.1 established
Thank you
Hi,
Access control list in cisco world means basic traffic filtering capabilities with access control lists (also referred to as access lists). Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on.) to filter those protocols' packets as the packets pass through a router.
and the established key word has some basic defination while applied in the ACL after a TCP session transitions to the "ESTABLISHED" state after the traditional three-way handshake, all subsequent TCP segments that use this session will have at least the ACK bit set. The "established" keyword on an ACL prevents pre-existing TCP sessions that are built across the router to be torn down when the ACL is applied to an interface.
While the "established" keyword *doesn't* turn your router into a stateful firewall, it will analyze the ACK bit and if set, this traffic will pass through the router, irrespective of whether an ACL entry further down in the list might deny the traffic.
Hope that helps out your query !!
If helpful do rate the valuable post.
Ganesh.H
02-01-2010 09:52 AM
Chris
Most of the time an access list which contains the established keyword on an entry is applied inbound on an interface (rather than outbound). Is this the case with your access list?
It may be easier to explain what the established keyword does by starting with how it is frequently used. There may be a situation where you want some host connected to your router (or perhaps many hosts connected to your router) to initiate TCP sessions to some remote host (or perhaps many remote hosts). To do this you must permit any TCP packet originated from your host and you must permit anyTCP packet from the remote host that is a response to a packet sent from your host (a response in an established TCP session). But you do not want to permit a TCP packet from the remote host to your host that is not a response to something initiated from your host. So how do you differentiate a TCP packet that is a reponse from a TCP packets that is not a response? The answer is that a response packet will have the TCP ACK bit turned on (or the RST bit turned on) and a packet that is not a response will not have the ACK (or RST) bit turned on. So the established keyword in the access list identifies TCP packets which have the ACK or RST bits turned on.
So using the established keyword in the access list does help you to permit any TCP sessions initiated from within your network (and any packets in response to the originating host) but does not permit TCP packets from outside that would initiate TCP sessions.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: