4 Replies Latest reply on Apr 7, 2015 10:38 AM by noor

    AdTran Equivalent to "established" ACL command on Cisco

    jthompson New Member

      We are replacing a failed Cisco router with an AdTran 3430.  The router is a simple configuration between the customer's firewall and their ISP.  The current Cisco has no firewall configured but does have a standard ACL on the interface to the ISP to block certain traffic (Namely RFC1918 and RFC3030 address spaces), and to block all but certain traffic to one external IP address.  I am attempting to replicate the Access Control List form the Cisco onto the AdTran however one of the commands is failing:

       

      ON the Cisco they have the following:

      (REST OF ACL REMOVED FOR CLARITY)

      access-list 125 permit tcp any host 63.XXX.XXX.XXX established

      access-list 125 permit tcp any host 63.XXX.XXX.XXX eq 443

      When I try and enter the "established" entry for the ACL on The Adtran, I get an unrecognized command:

      ip access-list extended TestACL1

      (REST OF ACL REMOVED FOR CLARITY)

          permit tcp any host 63.XXX.XXX.XXX established

           {Unrecognized command}

           permit tcp any host 63.XXX.XXX.XXX eq 443

       

      I have looked through the IP ACLs in AOS configuration Guide (https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB0QFjAA&url=https%3A%2F%2Fsupportforums.adtran.com%2Fservlet%2FJiveServlet%2FpreviewBody%2F1643-102-2-1694%2FConfiguring%2520IP%2520Access%2520Control%2520Lists%2520(ACLs)%2520in%2520AOS.pdf&ei=XSirU-KlDoOYyASTyILgDA&usg=AFQjCNHHfeaNoaNNM5gazFSftIhGsNHAbQ&bvm=bv.69620078,d.aWw)

        but do not see an equivalent to the established ACL.

      Any thoughts or suggestions?  I am not real familiar with ACL's in general

        • Re: AdTran Equivalent to "established" ACL command on Cisco
          jayh Hall_of_Fame

          The "established" keyword in Cisco is a form of state-checking on TCP streams.  It allows return traffic to a TCP session initiated from inside by allowing TCP if ACK or RST bits are set.

           

          Adtran accomplishes this differently, its firewall is stateful by default.

           

          Your Cisco ACL is applied to the outside interface and allows the following:

           

          * Return traffic to TCP sessions established from the inside (allows inside hosts to surf the web, retrieve email, etc.)

          * Initial traffic from anyone on the outside to a secure web server on 63.XXX.XXX.XXX port 443 (HTTPS).

           

          In the Adtran, you would accomplish this with two policies.

           

          On the inside, create a policy "Private" that has a permit ip any any ACL to the destination "Public".  If NAT is involved, it would go in this policy.  This permits inside hosts to initiate anything to outside and by default allows the return TCP traffic from the outside "Public" interface implicitly.  Adding the "stateless" keyword strips some inspection of the return stream, so don't do that. Apply this policy to the inside interface.  For BCP38 and spoof-blocking you could optionally limit the source IP range to the subnet assigned to the inside (recommended). 

           

          On the outside, create a policy "Public" that has an extended ACL permitting TCP traffic from any to host 63.XXX.XXX.XXX port 443 and allow that to destination Private. For BCP38 and spoof-blocking you could optionally deny sources matching your inside subnet, this line goes first.  Apply this policy to the outside interface. 

           

          Short version:  With Adtran, you don't need the "established" ACL on the outside to allow inside users to initiate TCP sessions and have the return traffic permitted.

            • Re: AdTran Equivalent to "established" ACL command on Cisco
              Employee

              jthompson -

              I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

               

              Thanks,

              Noor

            • Re: AdTran Equivalent to "established" ACL command on Cisco
              ewieling2 New Member

              Based on Adtran's response will the configuration below allow any outbound traffic and block any inbound traffic coming into eth 0/1 NOT ASSOCIATED with an outbound connection?

               

              ip access-list standard matchall

                permit any

               

              ip policy-class private

                allow list self self

                nat source list matchall interface eth 0/1 overload

               

              ip policy-class public

                allow list self self

                discard list matchall


              interface eth 0/1

                 ip address dhcp

                ip access-policy public

               

              interface eth 0/2

                 ip address 10.11.12.13/24

                ip access-policy private


                • Re: AdTran Equivalent to "established" ACL command on Cisco
                  Employee

                  Alfred,

                   

                  Based on the configuration above, the only traffic allowed would be traffic destined for an IP address configured on the NetVanta itself. All other traffic initiated from the outside will be blocked. In fact, you do not need the 'discard list matchall' entry since any traffic that is not implicitly allowed on a security zone will be blocked.

                   

                  Please let us know if you have any further questions.

                   

                  Thanks,

                  Noor