Hence, traffic originating from 10.0.0.0/24 to destination 172.16.1.0/24 will be permitted,
and it will return when it hits the inbound_acl.
Established ACLs
The established keyword in a TCP extended ACL validates that a packet belongs to an existing connection from
an ongoing TCP session initiated earlier and checks whether the TCP datagram has the acknowledgment (ACK)
or reset (RST) bit set. This mechanism allows only internal networks to initiate a TCP session outbound through
the device. Any TCP connections originated from the external network inbound are dropped.
The configuration in Example 2-6 for Figure 2-5 shows TCP traffic sourced from Network A (10.2.2.0/24)
destined to Network B (10.1.1.0/24) being permitted, while denying TCP traffic from Network B destined to
Network A.
Figure 2-5. Established ACL Example
ACL 101 in Example 2-6 permits all inbound TCP packets to pass through the router interface Ethernet1 only
when the TCP datagram has the acknowledged (ACK) or the reset (RST) bit set, validating an established TCP
session originated from inside. When a host from Network B (10.1.1.0/24) initiates a TCP connection by sending
the first TCP packet in the three-way handshake with the SYN bit set, it will be denied, and the TCP session will
not succeed.
Pages:
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99