ACL - established keyword

When applying ACLs, it is possible to use an extended ACL with the keyword established to permit returning traffic from established TCP sessions while denying other traffic.

The established keyword can be added to the end of the permit statement indicating TCP as the protocol of choice. For example, the following set of commands creates an access list which will permit all returning traffic of a Telnet session to traverse the access list.

R1(config)#ip access-list extended ESTABLISHED R1(config-ext-nacl)#permit tcp any eq telnet any established

The rest of the traffic will be denied due to the explicit deny statement at the end of the ACL.

An ACL with the established keyword will actually check the flags within the TCP header. Specifically, the ACK and the RST flags are checked. If either of those is set to 1, then the segment is confirmed to be part of an established session.

Note that this feature can be used only for TCP sessions. It does not function for UDP since UDP has no such mechanisms in its header. To keep track of UDP return traffic using ACLs, it is necessary to use Reflexive ACLs.