Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Tcp acceslists

Hi,

What is the purpose of the keword "established" in the next example:

acces-list 110 permit tcp any 172.30.0.0. 0.0 255.255 established ?

According to documentation it allows to check ACK and RST flags in TCP. (6-bit flag field in TCP-header).

If one of these flags is set, a match occurs. If neither bit is set and the source want to establish a TCP connection, a match will not occur.

So my question is what is the purpose of this and when can you deploy it ?

1 REPLY
New Member

Re: Tcp acceslists

Assume that you have a network of 10.0.0.0/8.

Your branch office router, with 10.20.70.0/24 configured for the local area addressing purposes.

**********************************

* Configuration of brach side: *

**********************************

!

interface ethernet 0

ip address 10.20.70.1 255.255.255.0

!

interface serial 0

ip address 10.1.1.2 255.255.255.252

ip access-group 120 out

...

!

access-list 120 permit tcp any any established

access-list 120 deny ip any 10.0.0.0 0.255.255.255

access-list 120 permit ip any any

!

By this kind of configuration, you can connect from 10.x.y.z network to the branch office network. Because, you initiate the connection (at the HQ site) and the answer packets from 10.20.70.x network return with ACK (or RST) bit is set.

However, opposite is not possible. Access from 10.20.70.x to 10.0.0.0 (rest of the network) is forbidden. Check the configs..

That's the only reason to use "established" command in the access-list statement.

Have a nice day,

Onur D CAKIR

141
Views
0
Helpful
1
Replies
CreatePlease to create content