Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

established keyword

I'm reading the CCSP SECUR book by Lammle and he has this config:

access-list 110 deny tcp any any established

access-list 110 permit tcp any any

interface s0/0

access-group 110 in

He says that this won't let anyone "SYN" into the network, but I think its the otherway around. I'm sure this will allow anyone on the outside to SYN in, but never ACK or RST into the network, basically denying traffic in anyways.

Am I right?

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: established keyword

You are correct, sir.

The first line denies all TCP packets that have either the ACK or RST bits set (e.g. SYN+ACK, ACK, RST+ACK). It does _not_ deny packets with only the SYN bit set.

The second line permits TCP SYN requests!

But TCP traffic initiated from the outside and headed inbound to the Serial0/0 interface will never be able to complete the three-way handshake to set up a session, because the third part of the handshake is an inbound ACK, which that first line will deny.

So, effectively, all inbound TCP traffic will be denied, as you have stated.

If the goal was to deny all inbound TCP traffic in the first place, it would suffice to have a single line ACL:

access-list 110 deny tcp any any

interface Serial0/0

ip access-group 110 in

And if the goal was to restrict the direction in which TCP sessions could be initiated, a more useful ACL would be:

access-list 110 permit tcp any any established

access-list 110 deny tcp any any

and apply it either inbound:

interface Serial0/0

ip access-group 110 in

or outbound:

interface Serial0/0

ip access-group 110 out

depending on where you want the sessions to originate from. (Assuming there are no other ACLs coming into play that affect completion of the three-way handshake.)

Hope this helps.

1 REPLY
Gold

Re: established keyword

You are correct, sir.

The first line denies all TCP packets that have either the ACK or RST bits set (e.g. SYN+ACK, ACK, RST+ACK). It does _not_ deny packets with only the SYN bit set.

The second line permits TCP SYN requests!

But TCP traffic initiated from the outside and headed inbound to the Serial0/0 interface will never be able to complete the three-way handshake to set up a session, because the third part of the handshake is an inbound ACK, which that first line will deny.

So, effectively, all inbound TCP traffic will be denied, as you have stated.

If the goal was to deny all inbound TCP traffic in the first place, it would suffice to have a single line ACL:

access-list 110 deny tcp any any

interface Serial0/0

ip access-group 110 in

And if the goal was to restrict the direction in which TCP sessions could be initiated, a more useful ACL would be:

access-list 110 permit tcp any any established

access-list 110 deny tcp any any

and apply it either inbound:

interface Serial0/0

ip access-group 110 in

or outbound:

interface Serial0/0

ip access-group 110 out

depending on where you want the sessions to originate from. (Assuming there are no other ACLs coming into play that affect completion of the three-way handshake.)

Hope this helps.

261
Views
0
Helpful
1
Replies