Solved: Query regarding established keyword

dmease · ‎08-19-2010

Hi All,

We have a requirement of only allowing certain port range access 'back through' a firewall from B to A, when a connection already exists from A to B, so for example, A connects to B on port X, and when that connection is established, B can then connect to A from port Y01 to Y99. I have been looking at the established keyword, but cant seem to find any way of limiting that to a given IP or set of IPs - is this even possible?

Many thanks,

Kureli Sankar · ‎08-19-2010

Yes, established command is what you need. We use this command if inspection is not available for the particular flow.

Usually we use this for X-windows application.

Once a telent is established on tcp 23 then a range of ports 1024-65535 can be open in the other direction. The pdf that you enclosed has nice examples. Let me know if you have any further questions.

Once you have this command globally, you can restirct hosts using object groups on ACLs that you apply on the interfaces. There is no way to restrict that with this command.

command ref: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1927618

-KS

View solution in original post

Nagaraja Thanthry · ‎08-19-2010

Hello,

Typically allows only requested port to respond. For example, if A (source

port 1024) tries to access B (destination port 80), then when B responds, it

should use only port 80 as the source. If it uses any other port, the

firewall (statefull) will block the connection. If you are using router as a

firewall and have not configured statefull features, then you can try the

access-lists as below:

access-list 199 permit tcp host

Hope this helps.

Regards,

NT

dmease · ‎08-19-2010

Sorry, I wasnt too clear there...

Please see attached for the command I am referring to :-)

Kureli Sankar · ‎08-19-2010

Yes, established command is what you need. We use this command if inspection is not available for the particular flow.

Usually we use this for X-windows application.

Once a telent is established on tcp 23 then a range of ports 1024-65535 can be open in the other direction. The pdf that you enclosed has nice examples. Let me know if you have any further questions.

Once you have this command globally, you can restirct hosts using object groups on ACLs that you apply on the interfaces. There is no way to restrict that with this command.

command ref: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1927618

-KS

dmease · ‎08-19-2010

Hi,

Sorry to be a pain, but just to ensure that I understand the above, using the below example:

inside hosts (higher security): 10.1.1.0/24

DMZ hosts (lower security): 10.1.2.0/24

If i have a requirement whereby I need to allow 10.1.2.1 to communicate to 10.1.1.1 over port 1000/tcp, only if there is an existing connection from 10.1.1.1 to 10.1.2.1 over port 80/tcp, I would use the global command:

established tcp 80 0 permitto tcp 1000 permitfrom 1024-65535

when this command is used, there is no way of restricting it to these two hosts, and if for arguments sake 10.1.1.100 connected to 10.1.2.100 over port 80, then 10.1.2.100 could connect to 10.1.1.100 over port 1000 also?

cheers,

Kureli Sankar · ‎08-19-2010

You got it correct.

As I mentioned earlier restrict who can initiate the conversation via access-list applied on the interface.

-KS

dmease · ‎08-20-2010

Thanks for your swift and very helpful response :-)