Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL

Hi Guys,

Is there any difference between below acl entries?

access-list 110 permit tcp host 1.1.1.1 gt 1023 host 2.2.2.2 eq 20 established

access-list 110 permit tcp host 1.1.1.1 host 2.2.2.2 eq 21

access-list 110 permit tcp host 1.1.1.1 eq 20 host 2.2.2.2 gt 1023

OR

access-list 110 permit tcp host 1.1.1.1 gt 1023 host 2.2.2.2 eq 20

access-list 110 permit tcp host 1.1.1.1 host 2.2.2.2 eq 21

access-list 110 permit tcp host 1.1.1.1 eq 20 host 2.2.2.2 gt 1023

I just want to know :-

Will the word "established" make any difference in above ACL behaviour?

Thanks

Amolak

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Re: ACL

Amolak

Yes the established keyword does make a difference in the ACL behavior. If you permit tcp ... established, then the ACL will permit tcp packets from outside sources to pass through only if the packet has the tcp ACK bit set (which means that this is a response to a TCP session which was initiated from inside). If the ACL has permit tcp ... without specifying established then it will permit all TCP packets from that address. This has the effect of allowing the outside host to initiate TCP connections into your network, but specifying established will not allow the remote host to initiate a TCP session but will allow it to respond to sessions initiated from inside.

HTH

Rick

Silver

Re: ACL

Yes, just like Rick said.

If you want FTP to function correctly the second ACL should be used.

2 REPLIES
Hall of Fame Super Silver

Re: ACL

Amolak

Yes the established keyword does make a difference in the ACL behavior. If you permit tcp ... established, then the ACL will permit tcp packets from outside sources to pass through only if the packet has the tcp ACK bit set (which means that this is a response to a TCP session which was initiated from inside). If the ACL has permit tcp ... without specifying established then it will permit all TCP packets from that address. This has the effect of allowing the outside host to initiate TCP connections into your network, but specifying established will not allow the remote host to initiate a TCP session but will allow it to respond to sessions initiated from inside.

HTH

Rick

Silver

Re: ACL

Yes, just like Rick said.

If you want FTP to function correctly the second ACL should be used.

114
Views
0
Helpful
2
Replies