cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2407
Views
0
Helpful
1
Replies

"permit tcp any any established" and IOS Firewall

insccisco
Beginner
Beginner

Guys, I need some clarification here. I have already asked couple TAC guys but they either did not know the answer right away or they wanted to send me to another team who might answer it...

I have a single router. One LAN, one WAN. It is an 800 series router and IOS Firewall feature is turned on as follows:

ip inspect name IOS_Firewall tcp

ip inspect name IOS_Firewall udp

ip inspect name IOS_Firewall icmp

interface FastEthernet4

ip address dhcp

ip access-group 161 in

ip nat outside

ip inspect IOS_Firewall out

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map mymap

access-list 161 permit udp any any eq ntp

access-list 161 permit udp any any eq bootpc

access-list 161 permit tcp any any established

access-list 161 permit icmp any any

access-list 161 permit esp any any

access-list 161 permit gre any any

access-list 161 permit udp any any eq isakmp

access-list 161 permit udp any any eq non500-isakmp

access-list 161 permit udp any eq non500-isakmp any

access-list 161 permit udp any eq isakmp any

access-list 161 permit udp any eq domain any

access-list 161 permit tcp any any eq telnet

access-list 161 permit tcp any any eq 1723

access-list 161 permit tcp any any eq 4500

access-list 161 permit tcp any any eq 5000

access-list 161 permit tcp any any eq 5500

access-list 161 deny   ip any any log

My question is, is the statement "access-list 161 permit tcp any any established"  required since I already have the IOS Firewall feature turned on?

Thank you

1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

No you do not need it with CBAC's TCP inspection enabled.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers