Access Lists - keyword?

Daniel333Daniel333 Senior MemberMember Posts: 2,077 ■■■■■■□□□□
I am pretty frustrated at the momement, been at this for over 6months and feel like I should have this stuff down by now. (just got a 70% on the ICND test from Cisco.com) So anyway, here was one of the questions I ran into that really threw me for a loop.

60. What does the established keyword in an IP extended access list statement specify?

Answer: TCP traffic will match the statement if it is part of an already established connection (ack bit set)


Are they trying to say there needs to be a connection already in order to filter by TCP port?
-Daniel

Comments

  • floppydiskfloppydisk Member Member Posts: 60 ■■□□□□□□□□
    my interpretation would be the definition of an extended ACL....since it uses source / destination IP address and tcp ports on the statement, when the TCP session negotiates they need to exchange these types of information. So when there's a match the ACL kicks in....

    correct me if i'm wrong. Thanks.
  • redgoblinredgoblin Member Member Posts: 57 ■■□□□□□□□□
    Yes - this is useful in a corporate network that might have its own web servers in a DMZ. Basically the purpose of the 'established' keyword is to allow traffic back into a network that created the traffic. An example might make things clearer:

    Corporate office has a main LAN of 10.10.10.10/24 which is connected to Router1. On the other side of Router1 is a DMZ that houses internal web servers for employees of the company and uses the subnet 10.1.1.0/24. Sometimes, in addition to accessing the companies web servers, the corporate LAN users might need to use the internet to grab files etc.

    So, we can restrict the corporate LAN users to only internal web server resources and external internet file transfers by using an ACL. The key thing here is that we will deny ALL traffic that coming into the corporate LAN except for the web services and the file transfers. Since the corporate LAN users will create or 'establish' those TCP connections, it makes sense to let only traffic that originates from the corporate network back into the network, and to deny everything else.

    Example: access-list 176 permit tcp any any established

    The above ACL will only let traffic originating on the corporate LAN to return to it (ie web server traffic and FTP traffic).

    In some ways you can think of these types of ACLs as being a hotel security guard. If a person that originates from outside the hotel (a stranger!) tries to come inside, the security guard will deny him access. However, if a guest of the hotel goes outside and comes back in, the security guard will allow him through since he originated from within the hotel.

    HTH
Sign In or Register to comment.