Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Windows Update not working with ACL


We have a vlan that we protect from inbound traffic:

   10 permit tcp any any established (189 matches)

    20 permit tcp any eq 554

    30 permit udp any eq 5004

    40 permit udp any eq 5005

    50 permit tcp any eq 1755

    60 permit udp any eq 1755

    70 permit tcp any eq www

    80 permit tcp any eq 8080

    90 permit tcp any eq 443

    100 permit tcp any eq ftp

    110 permit tcp any eq ftp-data

    120 permit tcp any gt 1024

    130 permit tcp eq 3389

    140 permit udp eq 3389

    150 deny ip any any (948 matches)

Why does windowsupdate not work? The established statement should work...



Cisco Employee

Re: Windows Update not working with ACL



(Optional) For the TCP protocol only:  Indicates an established connection. A match occurs if the TCP datagram  has the ACK or RST control bits set. The nonmatching case is that of the  initial TCP datagram to form a connection.

With the above said. If you capture on the PC that is trying to get windows update and at the same time watch the logs on the router and see what packets are being dropped.  If these are packets with ACK or RST bit set and they are from the same IP address that the client tried to talk to then, there is a problem with established command.

My thinking is that there is a new connections that is coming inbound and it does not have ACK bit set and that is the reason that established command isn't working. But, we need to see some data to be able to say it for sure.