08-11-2011 10:03 AM - edited 02-20-2020 09:42 PM
Dear Expert,
I study the ACL to filter (stop) the tcp port from below URL
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
In the section of "Allow Only Internal Networks to Initiate a TCP Session", grateful if someone would enlighten me the usage of "established"
interface ethernet0 ip access-group 102 in ! access-list 102 permit tcp any any gt 1023 established
What is different if the ACL is changed to following:
access-list 102 permit tcp any any gt 1023
rdgs
Solved! Go to Solution.
08-14-2011 10:59 PM
Both of your suggested ACL 101 and 145 are absolutely correct.
ACL 105: remark should say, allow return traffic on tcp/80, with source port of greater than 1023. The rest of your remark is correct.
ACL 115: remark should say allow all traffic with source port of HTTP (TCP/80) and destination port of greater than 1023.
ACL 125: remark should say allow all return traffic with source port of HTTP (TCP/80). And yes, you are correct, it also includes function of ACL 105.
ACL 135: remark should say allow all traffic with source port of HTTP (TCP/80). And yes, you are correct, it also includes function of ACL 115.
08-13-2011 04:40 AM
The "established" keyword is used to only allow TCP session which is not a SYN packet. If a TCP SYN packet is hitting the ACL with the "established" keyword configured, the access will be denied.
Example:
If you only want to allow outbound TCP session, and denied all inbound TCP session, then on the ACL applied to your inside interface (LAN interface), you will configure:
access-list 100 permit tcp any any
On the ACL applied to your outside interface (WAN interface), you will configure:
access-list 105 permit tcp any any established
(this means only the return traffic initiated from LAN will be allowed inbound, if traffic is initiated from the WAN interface, then it will be dropped).
Hope this helps.
08-14-2011 06:48 AM
Hi Jennifer,
Below please find the config according to your idea
interface serial 0/0
ip access-group 105 in
!
interface fe 0/0
ip access-froup 100 in
!
Regarding the "access-list 105 permit tcp any any established"
Does it include the return traffic (e.g. retrun web traffic from the web server to client) and TCP session traffic?
furthermore, grateful if you would advice the different of following 4 ACLs
access-list 201 permit tcp any any gt 1023 established
access-list 202 permit tcp any any gt 1023
access-list 203 permit tcp any any established
access-list 204 permit tcp any any
rdgs
Anita
08-14-2011 04:27 PM
"access-list 105 permit tcp any any established" --> as this is applied to the serial/WAN interface, this will allow all return traffic that was initiated from LAN/FE interface. If your client is connected to FE0/0, and web server is on the internet, connected to WAN interface, then yes, it will allow the return traffic from web server back towards your client.
However, it will not allow the web server on the internet to initiate a TCP session towards your client, ie: only return traffic initiated by your client will be allowed back in.
ACL 201: only allowing TCP return traffic if the destination port is greater than 1023
ACL 202: allowing all TCP traffic if the destination port is greater than 1023
ACL 203: only allowing TCP return traffic on all ports
ACL 204: allowing all TCP traffic on all ports.
Hope this helps.
08-14-2011 10:26 PM
Dear Jennifer,
Great helpful.
Gratful if you would comment on following configuration which I digest your advice
!
interface serial 0/0
description 45M DS3 from HK to US
ip access-group 105 in
!
interface fastethernet 0/0
Description Internat VLAN 100 for xxx department
ip address 102.168.100.0 255.255.255.0
ip access-group 101 in
!
access-list 101 remark -- only allow Web service from internal to outside --
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any http
!
access-list 105 remark -- allow return traffic if destination tcp port great than 1023 --
access-list 105 permit tcp any 192.168.100.0 eq http 0.0.0.255 gt 1023 established
! it should embed the partial function of "permit tcp any eq http 192.168.100.0 0.0.0.255 gt 1023" but the
! traffic should be permit only if it initiates from 192.168.100.0/24. If the traffic is initiate from outside,
! the acl 105 would deny it.
!
access-list 115 remark -- allow in/return traffic for tcp port great than 1023 --
access-list 115 permit tcp any eq http 192.168.100.0 0.0.0.255 gt 1023
! the traffic is permit no matter it is initiate from internal or external
!
access-list 125 remark -- allow return traffic for all tcp port --
access-list 125 permit tcp any eq 80 192.168.100.0 0.0.0.255 any established
! include the function of ACL 105, also support tcp port range from 1 to 1023
!
access-list 135 remark -- allow in/return traffic for all tcp port --
access-list 135 permit tcp any eq 80 192.168.100.0 0.0.0.255 any
! include the function of ACL 115, also support tcp port range from 1 to 1023
!
If so, I would like to modify the ACL to support more services, grateful if you would comment on it.
access-list 101 remark -- only allow Internet services from internal to outside --
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any http
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any smtp
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any pop
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any imap
access-list 101 permit tcp host 192.168.100.120 eq imap any estanlished
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any telnet
!
access-list 145 remark --- return and in traffic ---
access-list 145 permit tcp any 192.168.100.0 0.0.0.255 gt 1023 established
access-list 145 permit tcp any host 192.168.100.120 imap
!
08-14-2011 10:59 PM
Both of your suggested ACL 101 and 145 are absolutely correct.
ACL 105: remark should say, allow return traffic on tcp/80, with source port of greater than 1023. The rest of your remark is correct.
ACL 115: remark should say allow all traffic with source port of HTTP (TCP/80) and destination port of greater than 1023.
ACL 125: remark should say allow all return traffic with source port of HTTP (TCP/80). And yes, you are correct, it also includes function of ACL 105.
ACL 135: remark should say allow all traffic with source port of HTTP (TCP/80). And yes, you are correct, it also includes function of ACL 115.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide