Tcp acceslists

Unanswered Question
Aug 23rd, 2002
User Badges:


What is the purpose of the keword "established" in the next example:

acces-list 110 permit tcp any 0.0 255.255 established ?

According to documentation it allows to check ACK and RST flags in TCP. (6-bit flag field in TCP-header).

If one of these flags is set, a match occurs. If neither bit is set and the source want to establish a TCP connection, a match will not occur.

So my question is what is the purpose of this and when can you deploy it ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hucuncu Mon, 08/26/2002 - 03:45
User Badges:

Assume that you have a network of

Your branch office router, with configured for the local area addressing purposes.


* Configuration of brach side: *



interface ethernet 0

ip address


interface serial 0

ip address

ip access-group 120 out



access-list 120 permit tcp any any established

access-list 120 deny ip any

access-list 120 permit ip any any


By this kind of configuration, you can connect from 10.x.y.z network to the branch office network. Because, you initiate the connection (at the HQ site) and the answer packets from 10.20.70.x network return with ACK (or RST) bit is set.

However, opposite is not possible. Access from 10.20.70.x to (rest of the network) is forbidden. Check the configs..

That's the only reason to use "established" command in the access-list statement.

Have a nice day,



This Discussion