Cisco Support Community
Community Member

ACL and the established parameter

When does a connection become "established"? For instance, if I have an access list which allows any TCP port to come "in" to a serial interface if the connection is established, are there any gotcha's associated with that? I tried an access list like this but could not make any DNS requests (or so it seemed).

access-list 101 permit tcp any host established


interface Serial0.1 point-to-point

bandwidth 1536

ip unnumbered FastEthernet0

frame-relay interface-dlci 500 IETF

ip access-group 101 in

Cisco Employee

Re: ACL and the established parameter

Established statements in ACL have no effect with DNS (UDP 53). Host DNS query uses UDP and not a TCP protocol. Since UDP is a connectionless protocol, in your case the return DNS response UDP packet gets denied by your accelss-list. Established parameter checks and permits/denies incoming TCP packets that have RST or ACK bit set.

You need to have the following line in your ACL:

access-list 101 permit udp host xx.xx.xx.xx eq 53 host

where xx.xx.xx.xx is the IP address of DNS server.

Community Member

Re: ACL and the established parameter

Thanks for your reply. It's these little things that seem to stump me all the time.


CreatePlease to create content