cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4382
Views
3
Helpful
4
Replies
Highlighted
Beginner

ACL Question, Does TCP Established always match port?

On my Nexus 5k seems that ACL for "in" (garden_IN) is allowing ports needed. But for "out" (garden_OUT) unless established is ANY this does not work. Usually I do established with same port number. Is this right? Have not had to use any before. Garden is initiating connection to Pasture.

Nexus5000# sho running-config interface vlan 75

interface Vlan75

  no shutdown

  description pasture_PRIV garden SIDE

  ip access-group garden_IN in

  ip access-group garden_OUT out

  ip address 172.25.0.1/24

Nexus5000# sho running-config interface vlan 74

interface Vlan74

  no shutdown

  description pasture_PRIV pasture SIDE

  ip address 172.24.0.1/24

IPV4 ACL garden_IN

        statistics per-entry

        9 remark permit tcp ports from 172.25.0.0/24 (garden) to 172.24.0.0/24 (pasture)

        10 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 1433

        20 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 445

        30 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 1434

        40 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 4022

        50 permit tcp 172.25.0.0/24 172.24.0.0/24 eq 135

        60 permit udp 172.25.0.0/24 172.24.0.0/24 eq 1434

IPV4 ACL garden_OUT

        statistics per-entry

        4 remark permit tcp established from 172.24.0.0/24 (pasture) to 172.25.0.0/24 (garden)

        5 permit tcp 172.24.0.0/24 172.25.0.0/24 established [match=232]

        10 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 1433 established [match=0]

        20 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 445 established [match=0]

        30 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 1434 established [match=0]

        40 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 4022 established [match=0]

        50 permit tcp 172.24.0.0/24 172.25.0.0/24 eq 135 established [match=0]

        60 permit udp 172.24.0.0/24 172.25.0.0/24 eq 1434 [match=0]

Thanks!

Craig

My UCS Blog http://realworlducs.com
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

I'm pretty sure "established" means it checks if the TCP ACK bit is set, regardless of the port. That's why you see 232 matches for rule 5 on garden_OUT and none on the other rules.

You can apply the rule to an explicit TCP port if you just want to match packets belonging to an established TCP session only for example on the HTTP port (80).

permit tcp x eq 80 y established

Please note that you probably want to match the source port in garden_OUT and not the destination port.

Does that help?

View solution in original post

4 REPLIES 4
Highlighted
Beginner

I'm pretty sure "established" means it checks if the TCP ACK bit is set, regardless of the port. That's why you see 232 matches for rule 5 on garden_OUT and none on the other rules.

You can apply the rule to an explicit TCP port if you just want to match packets belonging to an established TCP session only for example on the HTTP port (80).

permit tcp x eq 80 y established

Please note that you probably want to match the source port in garden_OUT and not the destination port.

Does that help?

View solution in original post

Highlighted

Figured it out! Thanks for the responses.

The established acl's had source and target port backwards.

Wrong

permit tcp 172.24.0.0/24 172.25.0.0/24 eq 1433 established

Correct

permit tcp 172.24.0.0/24 eq 1433 172.25.0.0/24 established

No longer need the established any, works fine! Great!

Thanks!

Craig

My UCS Blog http://realworlducs.com
Highlighted

This link should help

http://www.orbit-computer-solutions.com/Reflexive-ACLs.php

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

IMO reflexive ACLs are not supported on Nexus 5000. "established" is the way to go on this platform.

Content for Community-Ad