Tcp acceslists

Unanswered Question
Aug 23rd, 2002
User Badges:

Hi,


What is the purpose of the keword "established" in the next example:

acces-list 110 permit tcp any 172.30.0.0. 0.0 255.255 established ?


According to documentation it allows to check ACK and RST flags in TCP. (6-bit flag field in TCP-header).

If one of these flags is set, a match occurs. If neither bit is set and the source want to establish a TCP connection, a match will not occur.


So my question is what is the purpose of this and when can you deploy it ?





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hucuncu Mon, 08/26/2002 - 03:45
User Badges:

Assume that you have a network of 10.0.0.0/8.

Your branch office router, with 10.20.70.0/24 configured for the local area addressing purposes.


**********************************

* Configuration of brach side: *

**********************************

!

interface ethernet 0

ip address 10.20.70.1 255.255.255.0

!

interface serial 0

ip address 10.1.1.2 255.255.255.252

ip access-group 120 out

...

!

access-list 120 permit tcp any any established

access-list 120 deny ip any 10.0.0.0 0.255.255.255

access-list 120 permit ip any any

!


By this kind of configuration, you can connect from 10.x.y.z network to the branch office network. Because, you initiate the connection (at the HQ site) and the answer packets from 10.20.70.x network return with ACK (or RST) bit is set.


However, opposite is not possible. Access from 10.20.70.x to 10.0.0.0 (rest of the network) is forbidden. Check the configs..


That's the only reason to use "established" command in the access-list statement.


Have a nice day,

Onur D CAKIR

Actions

This Discussion