How to configure ACLs to permit only established connections and deny all traffic sourced from the external network


Wed, 07/22/2009 - 19:27
Jun 18th, 2009

Core Issue

The established keyword indicates that packets belong to an existing connection if the Transmission Control Protocol (TCP) datagram has the Acknowledgment (ACK) or Reset (RST) bit set.


To resolve this issue, perform these steps:

  1. Permit all established connections through the Access Control List (ACL) by using the established keyword.

    This is an example:

    access-list 100 permit tcp any any established

    For more information, refer to the Allow Only Internal Networks to Initiate a TCP Session section of Configuring Commonly Used IP ACLs.

    2. Ensure that Domain Name System (DNS) traffic (User Datagram Protocol [UDP] port 53) is permitted through the ACL.

       Otherwise, users will not be able to browse the Internet by domain name.



