06-25-2007 03:17 AM - edited 03-03-2019 05:35 PM
Hi Guys,
Is there any difference between below acl entries?
access-list 110 permit tcp host 1.1.1.1 gt 1023 host 2.2.2.2 eq 20 established
access-list 110 permit tcp host 1.1.1.1 host 2.2.2.2 eq 21
access-list 110 permit tcp host 1.1.1.1 eq 20 host 2.2.2.2 gt 1023
OR
access-list 110 permit tcp host 1.1.1.1 gt 1023 host 2.2.2.2 eq 20
access-list 110 permit tcp host 1.1.1.1 host 2.2.2.2 eq 21
access-list 110 permit tcp host 1.1.1.1 eq 20 host 2.2.2.2 gt 1023
I just want to know :-
Will the word "established" make any difference in above ACL behaviour?
Thanks
Amolak
Solved! Go to Solution.
06-25-2007 06:03 AM
Amolak
Yes the established keyword does make a difference in the ACL behavior. If you permit tcp ... established, then the ACL will permit tcp packets from outside sources to pass through only if the packet has the tcp ACK bit set (which means that this is a response to a TCP session which was initiated from inside). If the ACL has permit tcp ... without specifying established then it will permit all TCP packets from that address. This has the effect of allowing the outside host to initiate TCP connections into your network, but specifying established will not allow the remote host to initiate a TCP session but will allow it to respond to sessions initiated from inside.
HTH
Rick
06-25-2007 06:19 AM
Yes, just like Rick said.
If you want FTP to function correctly the second ACL should be used.
06-25-2007 06:03 AM
Amolak
Yes the established keyword does make a difference in the ACL behavior. If you permit tcp ... established, then the ACL will permit tcp packets from outside sources to pass through only if the packet has the tcp ACK bit set (which means that this is a response to a TCP session which was initiated from inside). If the ACL has permit tcp ... without specifying established then it will permit all TCP packets from that address. This has the effect of allowing the outside host to initiate TCP connections into your network, but specifying established will not allow the remote host to initiate a TCP session but will allow it to respond to sessions initiated from inside.
HTH
Rick
06-25-2007 06:19 AM
Yes, just like Rick said.
If you want FTP to function correctly the second ACL should be used.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide