A standard access-list on a router is not stateful whereas a firewall like the pix does keep state ie.
when a conversation between a two machines is setup with a firewall in between the traffic path the firewall keeps track of not just the IP address/port number but also the TCP flags that are used in the packet.
So if i initiate a connection to a server using telnet my intial packet has
Source IP address: 192.168.5.1 (my client)
source port: 23467 ( random generated port)
destination IP address: 172.16.10.1 (telnet server)
destination port: 23 ( telnet port )
TCP Flag: SYN
The firewall will enter this into it's state table.
Now when the server responds
source IP address: 172.16.10.1
source port: 23
destination IP address: 192.168.5.1
destination port: 23467
TCP Flags SYN/ACK
The firewall receives this packet, checks it's state table and realises this is a return packet to the initial packet sent out by the client.
So if the above packet from the server was sent to the client, but the client had not actually sent a packet first the firewall would drop the packet because it has no entry in it's state table.
An router access-list does not keep state of the connection in the same way. It merely checks the packet against it's access-list and permits or denies it but it has no concept of "return" traffic or a packet being part of an ongoing communication.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...