Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2100
Views
0
Helpful
5
Replies

extended acl and" established" option

Go to solution
sarahr202
Level 5
Level 5

‎02-20-2009 02:10 PM - edited ‎03-04-2019 03:40 AM

Hi every body!

Please consider the following:

r1(config)# access-list 110 permit tcp any any established.

r1(config) int e0

ip access-group 110 out

r1 e0-------------h1

where r1 is router

h1 is host(winxp)

Now when i try to telnet into r1 from h1, I could not get through. Why? because router should allow telnet because" established" option will cause router to check if the ack bit is set. When h1 initiates a tcp connection with r1, r1 sends the reply with ack bit set,thus connection should be allowed but in my case it was not.

Any suggestion?

thanks a lot and have a nice weekend!

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-20-2009 02:33 PM

Sarah

The established keyword is almost always used on an access list applied inbound and not outbound as in your question. And especially when the question is about a host that is directly connected to the router, it makes no sense to configure an access list with the established parameter and apply it outbound.

If the telnet from the host to the router did not work, it would have been for some other reason than the access list. Is there perhaps an access-class applied to the line vty that controls who can do remote access to the router? Are the line vty perhaps configured to accept SSH but not telnet access?

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎02-20-2009 02:36 PM

Sarah

In re-reading my answer I realize that i was not clear about the reason when I said that it would make no sense to apply the access list outbound when the situation is about a host that is locally connected. The reason for this is that an outbound access list does not filter traffic that is generated by the router itself. So it the host telnets to the router, then the router responses go back no matter what an access list might say.

If the host were telnetting to some device on the other side of the router and the host telnet traffic were going through the router then perhaps the access list with established might make more sense.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sarahr202

‎02-20-2009 06:46 PM

Sarah

My understanding of the documentation and my experience with implementing access lists with the established parameter is that any packet with the ack OR with the reset bit set will be permitted by the access list. So in your example if the packet has the reset bit but not the ack bit set then the access list would permit that packet.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-20-2009 02:33 PM

Sarah

The established keyword is almost always used on an access list applied inbound and not outbound as in your question. And especially when the question is about a host that is directly connected to the router, it makes no sense to configure an access list with the established parameter and apply it outbound.

If the telnet from the host to the router did not work, it would have been for some other reason than the access list. Is there perhaps an access-class applied to the line vty that controls who can do remote access to the router? Are the line vty perhaps configured to accept SSH but not telnet access?

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎02-20-2009 02:36 PM

Sarah

In re-reading my answer I realize that i was not clear about the reason when I said that it would make no sense to apply the access list outbound when the situation is about a host that is locally connected. The reason for this is that an outbound access list does not filter traffic that is generated by the router itself. So it the host telnets to the router, then the router responses go back no matter what an access list might say.

If the host were telnetting to some device on the other side of the router and the host telnet traffic were going through the router then perhaps the access list with established might make more sense.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
sarahr202
Level 5
Level 5
In response to Richard Burts

‎02-20-2009 04:20 PM

Thanks for your reply Rick!

I did find out that access lists do not apply to locally generated packets.

Based on that , yes it does not matter whether the access list is applied inbound or outbound, router simply does not check the access list for locally generated packets.

When we use " established" option, what controls bits are also checked in tcp header, for example book says ack bit or reset bit. Let say we allow the telnet connection on router r1:

access-list 110 permit tcp any any established.

int e0

ip access-group 110 in

Now if r1 receives a packet with reset bit set and ack bit not set in tcp header, will the packet be permitted by r1?

thanks a lot!

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sarahr202

‎02-20-2009 06:46 PM

Sarah

My understanding of the documentation and my experience with implementing access lists with the established parameter is that any packet with the ack OR with the reset bit set will be permitted by the access list. So in your example if the packet has the reset bit but not the ack bit set then the access list would permit that packet.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
sarahr202
Level 5
Level 5
In response to Richard Burts

‎02-21-2009 08:50 AM

Thanks Rick and have a nice weekend!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card