User guide

E
XTREME
W
ARE
S
OFTWARE
U
SER
G
UIDE
16-13
U
SING
IP A
CCESS
L
ISTS
Figure 16-3: Access list allows TCP traffic
Step 3 - Permit-Established Access List.
When a TCP session begins, there is a 3-way handshake that includes a sequence of a
SYN, SYN/ACK and ACK packets. Figure 16-4 shows an illustration of the handshake
that occurs when Host A initiates a TCP session to Host B. After this sequence, actual
data can be passed.
Figure 16-4: Host A initiates a TCP session to Host B
An access list that uses the permit-established keyword filters the SYN packet in one
direction.
Use the permit-established keyword to allow only Host A to be able to establish a TCP
session to Host B and to prevent any TCP sessions from being initiated by Host B, as
illustrated in Figure 16-4. The syntax for this access-list is as follows:
create access-list <name> tcp destination HostA ip-port 23 source HOSTB
ip-port any permit-established ports any pre 8
This step may not be intuitive. Pay attention to the destination and source
address, and the desired affect.
EW_035
TCP
UDP
ICMP
10.10.10.100 10.10.20.100
EW_036
SYN
Host A Host B
SYN / ACK
ACK