[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Access list

Posted on 2004-11-04
Medium Priority
Last Modified: 2013-11-29

I have 2 cisco routers. A and B.

A must able to initiate TCP connections to B and be able to receive packets in response to its own connections.  

But B can't initialize TCP connections to A.

How do i configure that in the excesslist?

Thank you.
Question by:AgeOfWars
  • 3
  • 2

Author Comment

ID: 12491476

I meant I have 2 computers, A and B connected to one router.

PC A must be able to initiate TCP connections to B and be able to receive packets in response to its own connections.  

But PC B alone can't initialize TCP connections to A.

how do I configure the accesslist

Thank you

LVL 36

Expert Comment

ID: 12492070
Hi AgeOfWars,
Create an access list which only permits established connections back to computer A :-
access-list 101 permit tcp any any established
access-list 101 deny ip any any

Then apply this access-list in the outbound direction on the interface computer A connects to.

Author Comment

ID: 12492393
Hi GrBlades,

I have 2 questions)

Can you briefly explain the use of TCP and IP in the sentence. I know what they means but I don't really get it.

Say, PC A is connected to Router port 1 and B is connected to router port 2. When a packet travels from PC A to PC B, the accesslist will activate becuase it is applied to port 1. my question is when a packet travelling from PC B to PC A, it will go through port 1, route to port 2 and to PC A, will the accesslist applied on port 1 be activated?
if yes, which will be the outbound and inbound port?

Thank you.
LVL 36

Accepted Solution

grblades earned 600 total points
ID: 12492632
1) The TCP keyword means the line only matches TCP type packets. This is required in order to use the 'established' keyword. This like therefore permits all TCP replies back to PC A but does not allow any new connections to it from other machines.
The IP keyword basically means any IP traffic. This line basically sais to deny anything else.

2) The access-list is applied to the outbound direction so when traffic goes from PC A it goes into the port so does not go through the access-list. The reply from PC B does go out of that port so gets checked against the access-list.

Author Comment

ID: 12493156

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question