topic ACL Question, Does TCP Established always match port? in Network Security

ACL Question, Does TCP Established always match port?

kg6itcraig — Tue, 26 Mar 2019 00:49:22 GMT

On my Nexus 5k seems that ACL for "in" (garden_IN) is allowing ports needed. But for "out" (garden_OUT) unless established is ANY this does not work. Usually I do established with same port number. Is this right? Have not had to use any before. Garden is initiating connection to Pasture.

Nexus5000# sho running-config interface vlan 75

interface Vlan75

no shutdown

description pasture_PRIV garden SIDE

ip access-group garden_IN in

ip access-group garden_OUT out

ip address 172.25.0.1/24

Nexus5000# sho running-config interface vlan 74

interface Vlan74

no shutdown

description pasture_PRIV pasture SIDE

ip address 172.24.0.1/24

IPV4 ACL garden_IN

statistics per-entry

9 remark permit tcp ports from 172.25.0.0/24 (garden) to 172.24.0.0/24 (pasture)

10 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 1433

20 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 445

30 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 1434

40 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 4022

50 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 135

60 permit udp 172.25.0.0/24 172.24.0.0/24 eq 1434

IPV4 ACL garden_OUT

statistics per-entry

4 remark permit tcp established from 172.24.0.0/24 (pasture) to 172.25.0.0/24 (garden)

5 permit tcp 172.24.0.0/24 172.25.0.0/24 established [match=232]

10 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 1433 established [match=0]

20 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 445 established [match=0]

30 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 1434 established [match=0]

40 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 4022 established [match=0]

50 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 135 established [match=0]

60 permit udp 172.24.0.0/24 172.25.0.0/24 eq 1434 [match=0]

Thanks!

Craig

ACL Question, Does TCP Established always match port?

mironetgmbh — Wed, 24 Oct 2012 22:42:13 GMT

I'm pretty sure "established" means it checks if the TCP ACK bit is set, regardless of the port. That's why you see 232 matches for rule 5 on garden_OUT and none on the other rules.

You can apply the rule to an explicit TCP port if you just want to match packets belonging to an established TCP session only for example on the HTTP port (80).

permit tcp x eq 80 y established

Please note that you probably want to match the source port in garden_OUT and not the destination port.

Does that help?

ACL Question, Does TCP Established always match port?

Julio Carvajal — Thu, 25 Oct 2012 05:44:35 GMT

This link should help

http://www.orbit-computer-solutions.com/Reflexive-ACLs.php

Regards,

ACL Question, Does TCP Established always match port?

kg6itcraig — Thu, 25 Oct 2012 06:30:05 GMT

Figured it out! Thanks for the responses.

The established acl's had source and target port backwards.

Wrong

permit tcp 172.24.0.0/24 172.25.0.0/24 eq 1433 established

Correct

permit tcp 172.24.0.0/24 eq 1433 172.25.0.0/24 established

No longer need the established any, works fine! Great!

Thanks!

Craig

ACL Question, Does TCP Established always match port?

mironetgmbh — Thu, 25 Oct 2012 06:39:12 GMT

IMO reflexive ACLs are not supported on Nexus 5000. "established" is the way to go on this platform.