Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco access-list

Hello there,

Can I know what is this ACL meant? What is the "established" command for in this ACL?

access-list 121 permit tcp host 192.168.1.1 host 172.2.1.1 established

Thank you

3 REPLIES
New Member

Re: Cisco access-list

established

(Optional) For the TCP protocol only:  Indicates an established connection. A match occurs if the TCP datagram  has the ACK or RST control bits set. The nonmatching case is that of the  initial TCP datagram to form a connection.

Transmission Control Protocol (TCP)

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator [port]] destination  destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos]  [time-range time-range-name] [fragments] [log [word] | log-input [word]]

Re: Cisco access-list

Hello there,

Can I know what is this ACL meant? What is the "established" command for in this ACL?

access-list 121 permit tcp host 192.168.1.1 host 172.2.1.1 established

Thank you

Hi,

Access control list in cisco world means basic traffic filtering capabilities with access control lists (also referred to as access lists). Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on.) to filter those protocols' packets as the packets pass through a router.

and the established key word has some basic defination while applied in the ACL  after a TCP session transitions to the "ESTABLISHED" state after the traditional three-way handshake, all subsequent TCP segments that use this session will have at least the ACK bit set. The "established" keyword on an ACL prevents pre-existing TCP sessions that are built across the router to be torn down when the ACL is applied to an interface.

While the "established" keyword *doesn't* turn your router into a stateful firewall, it will analyze the ACK bit and if set, this traffic will pass through the router, irrespective of whether an ACL entry further down in the list might deny the traffic.

Hope that helps out your query !!

If helpful do rate the valuable post.

Ganesh.H

Hall of Fame Super Silver

Re: Cisco access-list

Chris

Most of the time an access list which contains the established keyword on an entry is applied inbound on an interface (rather than outbound). Is this the case with your access list?

It may be easier to explain what the established keyword does by starting with how it is frequently used. There may be a situation where you want some host connected to your router (or perhaps many hosts connected to your router) to initiate TCP sessions to some remote host (or perhaps many remote hosts). To do this you must permit any TCP packet originated from your host and you must permit anyTCP packet from the remote host that is a response to a packet sent from your host (a response in an established TCP session). But you do not want to permit a TCP packet from the remote host to your host that is not a response to something initiated from your host. So how do you differentiate a TCP packet that is a reponse from a TCP packets that is not a response? The answer is that a response packet will have the TCP ACK bit turned on (or the RST bit turned on) and a packet that is not a response will not have the ACK (or RST) bit turned on. So the established keyword in the access list identifies TCP packets which have the ACK or RST bits turned on.

So using the established keyword in the access list does help you to permit any TCP sessions initiated from within your network (and any packets in response to the originating host) but does not permit TCP packets from outside that would initiate TCP sessions.

HTH

Rick

5367
Views
20
Helpful
3
Replies
CreatePlease login to create content