its tcp port - say for instance like 5900. So server A will need to talk to an interface on router which has ACL IN and OUT. so when a tcp packet comes from Server A doesnt the return path need to be openeded ? wont the ACL block the return it ? so if i use established on the ACL will this solve the problem ?

Personally, if you have a single port, I would recommend just allowing that port and not established. Something like:

acl_in

permit tcp any any eq 5900

acl_out

permit tcp any eq 5900 any

If you were to use tcp established, I believe you'd need to use it in both acls (technically exactly like above, but with the established keyword.)

HTH,

John
 

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of   the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

1st question: yes

2nd question: depends on the ACL

3rd question: possibly, depends on how the ACE is constructed

What you might be missing, the TCP established option allows an easy general ACE.

I.e.

permit tcp any any established

Such an ACE assumes such packets are in response from something "inside".

In your case, as the server IP is known, you might just use the server's IP, e.g.:

permit ip host 10.10.10.1 any !for an ingress ACE

permit ip any host 10.10.10.1 !for an egress ACE

For these ACEs, you could further restrict them, such as to particular protocols, ports, or options like established.  So, for example, your egress ACE might be

permit tcp any host 10.10.10.1 established

Which now only allows TCP traffic to your server that appears to be a response.

As the source is any, we don't know it's a response from the router.  You could hard code that IP or possibly use reflective ACLs.

Normally, if you want to control traffic between known hosts, you identify their IP addresses and other traffic attributes, such as protocols and/or ports.

Again, established is normally used generically.  However, it could be use, as above, to keep the router from starting a TCP flow to the server.  For example, the server could open http/telnet/etc to the router, but the router could not open http/telnet/etc to the server.

There has been good discussion about using tcp established and how it permits traffic coming back for something that was initiated inside. Also how it is used on an interface that is not the interface where the original traffic came from. So established would not usually be placed on the interface where the server connects. But there has not been much discussion about the access lists in and out that the original poster says are on the router interface. We do need to be sure that those access lists permit the traffic from and to the server. But tcp established would normally not be part of those access lists.

HTH

Rick