Access list

Posted on 2004-11-04
Last Modified: 2013-11-29

I have 2 cisco routers. A and B.

A must able to initiate TCP connections to B and be able to receive packets in response to its own connections.  

But B can't initialize TCP connections to A.

How do i configure that in the excesslist?

Thank you.
Question by:AgeOfWars

    Author Comment


    I meant I have 2 computers, A and B connected to one router.

    PC A must be able to initiate TCP connections to B and be able to receive packets in response to its own connections.  

    But PC B alone can't initialize TCP connections to A.

    how do I configure the accesslist

    Thank you

    LVL 36

    Expert Comment

    Hi AgeOfWars,
    Create an access list which only permits established connections back to computer A :-
    access-list 101 permit tcp any any established
    access-list 101 deny ip any any

    Then apply this access-list in the outbound direction on the interface computer A connects to.

    Author Comment

    Hi GrBlades,

    I have 2 questions)

    Can you briefly explain the use of TCP and IP in the sentence. I know what they means but I don't really get it.

    Say, PC A is connected to Router port 1 and B is connected to router port 2. When a packet travels from PC A to PC B, the accesslist will activate becuase it is applied to port 1. my question is when a packet travelling from PC B to PC A, it will go through port 1, route to port 2 and to PC A, will the accesslist applied on port 1 be activated?
    if yes, which will be the outbound and inbound port?

    Thank you.
    LVL 36

    Accepted Solution

    1) The TCP keyword means the line only matches TCP type packets. This is required in order to use the 'established' keyword. This like therefore permits all TCP replies back to PC A but does not allow any new connections to it from other machines.
    The IP keyword basically means any IP traffic. This line basically sais to deny anything else.

    2) The access-list is applied to the outbound direction so when traffic goes from PC A it goes into the port so does not go through the access-list. The reply from PC B does go out of that port so gets checked against the access-list.

    Author Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now