How does Cisco IOS ACL established flag work

cisco tcp access-control-list ios

11,006

Given a Vlan1 inside and Fa4 outside I gather you are working on an 8xx series?

Instead of working through established use the IOS Firewall's Context Based Access Control function, or CBAC.

With a deny ip any any or equivalent on an outside interface -- as you have stated, there needs to exist some way to permit legitimate traffic initiated from inside -> outside to get back in without resorting to vulgar language or a permit ip any any. established is one method, but a rather arcane one in that it only works with TCP causing a little headache for UDP. Instead with CBAC, which involves the ip inspect you can achieve the objective without ACE's involving the established keyword. ACL's can still be used on the outside interface, but they are not required for this specific objective.

Note that CBAC also has the ability to perform application layer gateway (ALG)/fixups to protocols that break through firewall's and NAT boundaries. In the examples below I'll include some examples.

Easiest way is to define a CBAC inspection set, then apply it in both the in and out directions on your outside interface.

First defined are generic tcp and udp to make general tcp and udp traffic work. Afterward are some ALG's

! Define CBAC inspection group in global configuration mode

ip inspect name outside_inspection tcp
ip inspect name outside_inspection udp
ip inspect name outside_inspection ftp
ip inspect name outside_inspection tftp
ip inspect name outside_inspection h323
ip inspect name outside_inspection icmp
ip inspect name outside_inspection pptp

! Enable CBAC on outside interface

interface FastEthernet4
 description outside interface
 ip inspect name outside_inspection in
 ip inspect name outside_inspection out

! ip access-group, ip nat, and others possible as well on FastEthernet4

11,006

700 Software

Updated on September 18, 2022

Comments

700 Software over 1 year
You can permit outgoing packets, but then you need to permit the responses. One way is to permit any packet that is a followup to an established connection.
```
access-list ??? permit tcp any any established
```
But how does this work? Is checking established enough on a NAT config? I wonder whether I should create a specific locked down rule for every response packet group for example, I might have this for outgoing. (access list for Vlan1 IN)
```
access-list ??? permit tcp 192.168.1.0 0.0.0.255 gt 1023 any eq www
```
and this for the response. (access list for FastEthernet4 IN)
```
access-list ??? permit tcp any eq www --WAN IP-- gt 1023 established
```
Is there better security in adding one permit established rule for every permit outgoing rule? Or am I just reducing performance when I do this?