Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4917
Views
0
Helpful
5
Replies

ACL filter tcp port

Go to solution
anitachoi3
Level 1
Level 1

‎08-11-2011 10:03 AM - edited ‎02-20-2020 09:42 PM

Dear Expert,

I study the ACL to filter (stop) the tcp port from below URL

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

In the section of "Allow Only Internal Networks to Initiate a TCP Session", grateful if someone would enlighten me the usage of "established"

interface ethernet0
ip access-group 102 in
!
access-list 102 permit tcp any any gt 1023 established

What is different if the ACL is changed to following:

access-list 102 permit tcp any any gt 1023

rdgs

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to anitachoi3

‎08-14-2011 10:59 PM

Both of your suggested ACL 101 and 145 are absolutely correct.

ACL 105: remark should say, allow return traffic on tcp/80, with source port of greater than 1023. The rest of your remark is correct.

ACL 115: remark should say allow all traffic with source port of HTTP (TCP/80) and destination port of greater than 1023.

ACL 125: remark should say allow all return traffic with source port of HTTP (TCP/80). And yes, you are correct, it also includes function of ACL 105.

ACL 135: remark should say allow all traffic with source port of HTTP (TCP/80). And yes, you are correct, it also includes function of ACL 115.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-13-2011 04:40 AM

The "established" keyword is used to only allow TCP session which is not a SYN packet. If a TCP SYN packet is hitting the ACL with the "established" keyword configured, the access will be denied.

Example:

If you only want to allow outbound TCP session, and denied all inbound TCP session, then on the ACL applied to your inside interface (LAN interface), you will configure:

access-list 100 permit tcp any any

On the ACL applied to your outside interface (WAN interface), you will configure:

access-list 105 permit tcp any any established

(this means only the return traffic initiated from LAN will be allowed inbound, if traffic is initiated from the WAN interface, then it will be dropped).

Hope this helps.

0 Helpful

Go to solution
anitachoi3
Level 1
Level 1
In response to Jennifer Halim

‎08-14-2011 06:48 AM

Hi Jennifer,

Below please find the config according to your idea

interface serial 0/0

ip access-group 105 in

!

interface fe 0/0

ip access-froup 100 in

!

Regarding the "access-list 105 permit tcp any any established"

Does it include the return traffic (e.g. retrun web traffic from the web server to client) and TCP session traffic?

furthermore, grateful if you would advice the different of following 4 ACLs

access-list 201 permit tcp any any gt 1023 established

access-list 202 permit tcp any any gt 1023

access-list 203 permit tcp any any established

access-list 204 permit tcp any any

rdgs

Anita

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to anitachoi3

‎08-14-2011 04:27 PM

"access-list 105 permit tcp any any established" --> as this is applied to the serial/WAN interface, this will allow all return traffic that was initiated from LAN/FE interface. If your client is connected to FE0/0, and web server is on the internet, connected to WAN interface, then yes, it will allow the return traffic from web server back towards your client.

However, it will not allow the web server on the internet to initiate a TCP session towards your client, ie: only return traffic initiated by your client will be allowed back in.

ACL 201: only allowing TCP return traffic if the destination port is greater than 1023

ACL 202: allowing all TCP traffic if the destination port is greater than 1023

ACL 203: only allowing TCP return traffic on all ports

ACL 204: allowing all TCP traffic on all ports.

Hope this helps.

0 Helpful

Go to solution
anitachoi3
Level 1
Level 1
In response to Jennifer Halim

‎08-14-2011 10:26 PM

Dear Jennifer,

Great helpful.

Gratful if you would comment on following configuration which I digest your advice

!

interface serial 0/0

description 45M DS3 from HK to US

ip access-group 105 in

!

interface fastethernet 0/0

Description Internat VLAN 100 for xxx department

ip address 102.168.100.0 255.255.255.0

ip access-group 101 in

!

access-list 101 remark -- only allow Web service from internal to outside --

access-list 101 permit tcp 192.168.100.0 0.0.0.255 any http

!

access-list 105 remark -- allow return traffic if destination tcp port great than 1023 --

access-list 105 permit tcp any 192.168.100.0 eq http 0.0.0.255 gt 1023 established

! it should embed the partial function of "permit tcp any eq http 192.168.100.0 0.0.0.255 gt 1023" but the

! traffic should be permit only if it initiates from 192.168.100.0/24. If the traffic is initiate from outside,

! the acl 105 would deny it.

!

access-list 115 remark -- allow in/return traffic for tcp port great than 1023 --

access-list 115 permit tcp any eq http 192.168.100.0 0.0.0.255 gt 1023

! the traffic is permit no matter it is initiate from internal or external

!

access-list 125 remark -- allow return traffic for all tcp port --

access-list 125 permit tcp any eq 80 192.168.100.0 0.0.0.255 any established

! include the function of ACL 105, also support tcp port range from 1 to 1023 

!

access-list 135 remark -- allow in/return traffic for all tcp port --

access-list 135 permit tcp any eq 80 192.168.100.0 0.0.0.255 any

! include the function of ACL 115, also support tcp port range from 1 to 1023

!

If so, I would like to modify the ACL to support more services, grateful if you would comment on it.

access-list 101 remark -- only allow Internet services from internal to outside --

access-list 101 permit tcp 192.168.100.0 0.0.0.255 any http

access-list 101 permit tcp 192.168.100.0 0.0.0.255 any smtp

access-list 101 permit tcp 192.168.100.0 0.0.0.255 any pop

access-list 101 permit tcp 192.168.100.0 0.0.0.255 any imap

access-list 101 permit tcp host 192.168.100.120 eq imap any estanlished

access-list 101 permit tcp 192.168.100.0 0.0.0.255 any telnet

!

access-list 145 remark --- return and in traffic ---

access-list 145 permit tcp any 192.168.100.0 0.0.0.255 gt 1023 established

access-list 145 permit tcp any host 192.168.100.120 imap

!

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to anitachoi3

‎08-14-2011 10:59 PM

Both of your suggested ACL 101 and 145 are absolutely correct.

ACL 105: remark should say, allow return traffic on tcp/80, with source port of greater than 1023. The rest of your remark is correct.

ACL 115: remark should say allow all traffic with source port of HTTP (TCP/80) and destination port of greater than 1023.

ACL 125: remark should say allow all return traffic with source port of HTTP (TCP/80). And yes, you are correct, it also includes function of ACL 105.

ACL 135: remark should say allow all traffic with source port of HTTP (TCP/80). And yes, you are correct, it also includes function of ACL 115.

0 Helpful
Customers Also Viewed These Support Documents