Description of established in the access control column

This article introduces the established option in detail, and provides the specific work and configuration of the established option. The following provides a detailed answer.

Established option in ACL

Let's look at an example:

There is A vroa A with its fa0/0 port connected to the Intranet. The intranet CIDR block is 172.16.0.0/16, and the s0/0 port is connected to the Internet. Now vroa A is configured as follows:

Access-list 101 permit tcp any 172.16.0.0 0.0.255.255 established

Int s0/0

Ip access-group 101 in

This configuration achieves the following goals:

The Internet can only respond to the Intranet TCP connection, but cannot initiate a TCP connection to the Intranet!

Access-list 101 permit tcp any 172.16.0.0 0.0.255.255 is a good command, right? Allow TCP access from the Internet to the Intranet.

After the established option is added, the ACL checks the ACK or RST bits in the TCP segment that accesses the Intranet from the Internet. If the ACK or RST bits are set to be used, indicates that the packet is part of the ongoing session, and the packet will be permit. That is to say, when the Internet initiates a TCP connection to the Intranet, because the ACK or RST bit is not set, this time will not be permit.

About the fields in the TCP segment:

SYN: synchronization is only set when three handshakes are used to establish a connection)

ACK: confirm that it may be used throughout TCP communication.

RST: resetting the four handshakes is not the only way to disable TCP connections. Sometimes, if the host needs to close the connection as soon as possible (or the connection times out, the port or host cannot be reached), RST will be set.

FIN: only set when the connection is terminated after four handshakes)

URG: urgent

PSH: Push

The fields related to what we are talking about today are as follows:

In the three-way handshake, initiator A first sends SYN, receiver B replies ACK and SYN, and initiator A then replies ACK. Note that the initiator only sends SYN and no ACK.

Four handshakes, A sends ACK and FIN to B, B replies ACK, B sends ACK and FIN to A, and A replies ACK.

ACK is always used during intermediate transmission.

Reset the Connection reset), RST will be set, ACK may or may not be in most cases ).

In summary, the established option in the ACL affects the first time in the three-way handshake! Because this handshake only has SYN, and there is no ACK or RST.

Summary:

The established option in ACL applies only to TCP but not to UDP.

Restrict external TCP connections.

The applicable port number is further restricted, for example:

Access-list 101 permit tcp any 172.16.0.0 0.0.255.255 eq 80 established

The Internet is not allowed to initiate a TCP connection to port 80 on the Intranet.