cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

AdTran Equivalent to "established" ACL command on Cisco

Jump to solution

We are replacing a failed Cisco router with an AdTran 3430.  The router is a simple configuration between the customer's firewall and their ISP.  The current Cisco has no firewall configured but does have a standard ACL on the interface to the ISP to block certain traffic (Namely RFC1918 and RFC3030 address spaces), and to block all but certain traffic to one external IP address.  I am attempting to replicate the Access Control List form the Cisco onto the AdTran however one of the commands is failing:

ON the Cisco they have the following:

(REST OF ACL REMOVED FOR CLARITY)

access-list 125 permit tcp any host 63.XXX.XXX.XXX established

access-list 125 permit tcp any host 63.XXX.XXX.XXX eq 443

When I try and enter the "established" entry for the ACL on The Adtran, I get an unrecognized command:

ip access-list extended TestACL1

(REST OF ACL REMOVED FOR CLARITY)

    permit tcp any host 63.XXX.XXX.XXX established

     {Unrecognized command}

     permit tcp any host 63.XXX.XXX.XXX eq 443

I have looked through the IP ACLs in AOS configuration Guide (https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB0QFjAA&url=htt...)

  but do not see an equivalent to the established ACL.

Any thoughts or suggestions?  I am not real familiar with ACL's in general

Labels (2)
0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: AdTran Equivalent to "established" ACL command on Cisco

Jump to solution

The "established" keyword in Cisco is a form of state-checking on TCP streams.  It allows return traffic to a TCP session initiated from inside by allowing TCP if ACK or RST bits are set.

Adtran accomplishes this differently, its firewall is stateful by default.

Your Cisco ACL is applied to the outside interface and allows the following:

* Return traffic to TCP sessions established from the inside (allows inside hosts to surf the web, retrieve email, etc.)

* Initial traffic from anyone on the outside to a secure web server on 63.XXX.XXX.XXX port 443 (HTTPS).

In the Adtran, you would accomplish this with two policies.

On the inside, create a policy "Private" that has a permit ip any any ACL to the destination "Public".  If NAT is involved, it would go in this policy.  This permits inside hosts to initiate anything to outside and by default allows the return TCP traffic from the outside "Public" interface implicitly.  Adding the "stateless" keyword strips some inspection of the return stream, so don't do that. Apply this policy to the inside interface.  For BCP38 and spoof-blocking you could optionally limit the source IP range to the subnet assigned to the inside (recommended). 

On the outside, create a policy "Public" that has an extended ACL permitting TCP traffic from any to host 63.XXX.XXX.XXX port 443 and allow that to destination Private. For BCP38 and spoof-blocking you could optionally deny sources matching your inside subnet, this line goes first.  Apply this policy to the outside interface. 

Short version:  With Adtran, you don't need the "established" ACL on the outside to allow inside users to initiate TCP sessions and have the return traffic permitted.

View solution in original post

0 Kudos
4 Replies
jayh
Honored Contributor
Honored Contributor

Re: AdTran Equivalent to "established" ACL command on Cisco

Jump to solution

The "established" keyword in Cisco is a form of state-checking on TCP streams.  It allows return traffic to a TCP session initiated from inside by allowing TCP if ACK or RST bits are set.

Adtran accomplishes this differently, its firewall is stateful by default.

Your Cisco ACL is applied to the outside interface and allows the following:

* Return traffic to TCP sessions established from the inside (allows inside hosts to surf the web, retrieve email, etc.)

* Initial traffic from anyone on the outside to a secure web server on 63.XXX.XXX.XXX port 443 (HTTPS).

In the Adtran, you would accomplish this with two policies.

On the inside, create a policy "Private" that has a permit ip any any ACL to the destination "Public".  If NAT is involved, it would go in this policy.  This permits inside hosts to initiate anything to outside and by default allows the return TCP traffic from the outside "Public" interface implicitly.  Adding the "stateless" keyword strips some inspection of the return stream, so don't do that. Apply this policy to the inside interface.  For BCP38 and spoof-blocking you could optionally limit the source IP range to the subnet assigned to the inside (recommended). 

On the outside, create a policy "Public" that has an extended ACL permitting TCP traffic from any to host 63.XXX.XXX.XXX port 443 and allow that to destination Private. For BCP38 and spoof-blocking you could optionally deny sources matching your inside subnet, this line goes first.  Apply this policy to the outside interface. 

Short version:  With Adtran, you don't need the "established" ACL on the outside to allow inside users to initiate TCP sessions and have the return traffic permitted.

0 Kudos
Anonymous
Not applicable

Re: AdTran Equivalent to "established" ACL command on Cisco

Jump to solution

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor

Re: AdTran Equivalent to "established" ACL command on Cisco

Jump to solution

Based on Adtran's response will the configuration below allow any outbound traffic and block any inbound traffic coming into eth 0/1 NOT ASSOCIATED with an outbound connection?

ip access-list standard matchall

  permit any

ip policy-class private

  allow list self self

  nat source list matchall interface eth 0/1 overload

ip policy-class public

  allow list self self

  discard list matchall


interface eth 0/1

   ip address dhcp

  ip access-policy public

interface eth 0/2

   ip address 10.11.12.13/24

  ip access-policy private


Anonymous
Not applicable

Re: AdTran Equivalent to "established" ACL command on Cisco

Jump to solution

Alfred,

Based on the configuration above, the only traffic allowed would be traffic destined for an IP address configured on the NetVanta itself. All other traffic initiated from the outside will be blocked. In fact, you do not need the 'discard list matchall' entry since any traffic that is not implicitly allowed on a security zone will be blocked.

Please let us know if you have any further questions.

Thanks,

Noor