established on access-list

amalias · ‎01-21-2001

Hellow

when I build an access-list which permit host 192.116.2.1 only to talk tcp with host 10.10.10.3, and I want to use "established", why do i have to write this command:

acl 169 permit tcp host 10.10.10.3 host 192.116.2.1 established

instead of:

acl 169 permit tcp host 192.116.2.1 host 10.10.10.3 established

because as I understand the sequence of the command is "source" and then "destination".

thank you

theblender · ‎01-24-2001

When you write this type of access-list you need to define who should initiate the conversation. With the command that you had to write you are defining that 192.116.2.1 should initiate the conversation and traffic can go to this host from 10.10.10.3 only if the established bit is set (meaning that a connection has been previously established). This being an extended access-list it should be placed as close to the source of the block as possible so you should apply it in on the interface that the 10 network comes in on. A common use for this is to restrict you local network from replying to internet connections (http) unless the established bit is set. (i.e. permit ip any eq 80 any established)

Hope this helps!

abehanan · ‎03-24-2001

it depends on ur network design. so it depends where u r giving your access list. since it is that u have to use and extended access list, it is always better u keep it near the source. so if u want 192.116.2.1 to talk only tcp to 10.10.10.3, u take 192.116.2.1 as the source and 10.10.10.3 as the destination. so it is always better to keep the access list near the source and therefore

'acl 169 permit tcp host 192.116.2.1 host 10.10.10.3 established' is the correct command and u place the access list neat 192.116.2.1.

'established' is required for the handshake process to take place fully.

now i guess ur doubt is cleared!

Anish Paul Behanan

Software Specialist, DEC (India)