Question About UDP ACLs in IOS

Hello all,

I currently have an ACL in my 6500 that allows established TCP connections to come back into my network. Something like 'permit tcp any host established'. Is it possible to do something similar with UDP? I need to allow a machine on my inside network to communicate with a time server over UDP port 123, but I don't see an 'established' option for UDP ACLs.

Thanks in advance!

-- Bryan

Reply to
Bryan Richardson
Loading thread data ...

You might look at reflexive access lists. Beware ending up CPU switching the traffic though. I think they are supposed to be hardware switched but I seem to recall doubting that in some case or other. Switching comments apply to 6500.

The established method cannot be used on UDP since it uses the TCP flags. It blocks packets with SYN-set and ACK-not-set. This is only the case for the first packet in a TCP session so no sessions can be initiated through an "established" ACL.

Reply to

I found thsi hard to get my head round the first time so:-

Reflexive means "the reflection of" so you get an inbound ACL entry automatically created when traffic matches the outbound ACL.

I don't know how granular the reflected ACL entries are but you can see them with

sh ip access-list ACL-to-internet-reflected

from the example below.

int gi 1/1 desc Internet link access-group ACL-to-internet out access-group ACL-to-internet-reflected in

access-l e ACL-to-internet permit ip any any reflect ACL-to-internet-reflected

access-l e ACL-to-internet-reflected deny ip any any ! probably optional but you can ! put what you want here

Reflexively created entries go in front of the static entries.

Above from memory so may not be exact.

Just noticed that I can't see a reason that the two access-group statement have to be on the same interface. I have always done so.

Reply to
bod43 Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.