Keyword "Established" in an ACL

[norteldude78]

Regarding the following example:

Router(config)# access-list 100 permit tcp any 172.16.0.0 0.0.255.255 established

I have read that the established keyword is for packets that have the RST/ACK bit set. But what about initial connections where only the SYN bit is set? Will these get dropped?

Suppose you add an ACL statement before the one above that allows all tcp:

Router(config)# access-list 100 permit tcp any 172.16.0.0 0.0.255.255

Now your SYN packets would get through, but wouldn't need the 'established' statement anyway, the RST/ACK packets would already match.

Does any one know another example that shows the purpose of the established keyword?

 

[jneiberger]

The 'established' keyword is specifically for blocking incoming traffic that is not part of an established connection, or at least a connection that was initiated internally.

This is useful when you only want to allow internal devices to access external resources and you don't want any external resources to be able to initiate connections to internal devices.