"permit tcp any any established" and IOS Firewall

insccisco · ‎12-10-2012

Guys, I need some clarification here. I have already asked couple TAC guys but they either did not know the answer right away or they wanted to send me to another team who might answer it...

I have a single router. One LAN, one WAN. It is an 800 series router and IOS Firewall feature is turned on as follows:

ip inspect name IOS_Firewall tcp

ip inspect name IOS_Firewall udp

ip inspect name IOS_Firewall icmp

interface FastEthernet4

ip address dhcp

ip access-group 161 in

ip nat outside

ip inspect IOS_Firewall out

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map mymap

access-list 161 permit udp any any eq ntp

access-list 161 permit udp any any eq bootpc

access-list 161 permit tcp any any established

access-list 161 permit icmp any any

access-list 161 permit esp any any

access-list 161 permit gre any any

access-list 161 permit udp any any eq isakmp

access-list 161 permit udp any any eq non500-isakmp

access-list 161 permit udp any eq non500-isakmp any

access-list 161 permit udp any eq isakmp any

access-list 161 permit udp any eq domain any

access-list 161 permit tcp any any eq telnet

access-list 161 permit tcp any any eq 1723

access-list 161 permit tcp any any eq 4500

access-list 161 permit tcp any any eq 5000

access-list 161 permit tcp any any eq 5500

access-list 161 deny ip any any log

My question is, is the statement "access-list 161 permit tcp any any established" required since I already have the IOS Firewall feature turned on?

Thank you

Marcin Latosiewicz · ‎12-11-2012

No you do not need it with CBAC's TCP inspection enabled.