The "established" keyword in Cisco is a form of state-checking on TCP streams. It allows return traffic to a TCP session initiated from inside by allowing TCP if ACK or RST bits are set.
Adtran accomplishes this differently, its firewall is stateful by default.
Your Cisco ACL is applied to the outside interface and allows the following:
* Return traffic to TCP sessions established from the inside (allows inside hosts to surf the web, retrieve email, etc.)
* Initial traffic from anyone on the outside to a secure web server on 63.XXX.XXX.XXX port 443 (HTTPS).
In the Adtran, you would accomplish this with two policies.
On the inside, create a policy "Private" that has a permit ip any any ACL to the destination "Public". If NAT is involved, it would go in this policy. This permits inside hosts to initiate anything to outside and by default allows the return TCP traffic from the outside "Public" interface implicitly. Adding the "stateless" keyword strips some inspection of the return stream, so don't do that. Apply this policy to the inside interface. For BCP38 and spoof-blocking you could optionally limit the source IP range to the subnet assigned to the inside (recommended).
On the outside, create a policy "Public" that has an extended ACL permitting TCP traffic from any to host 63.XXX.XXX.XXX port 443 and allow that to destination Private. For BCP38 and spoof-blocking you could optionally deny sources matching your inside subnet, this line goes first. Apply this policy to the outside interface.
Short version: With Adtran, you don't need the "established" ACL on the outside to allow inside users to initiate TCP sessions and have the return traffic permitted.
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Based on Adtran's response will the configuration below allow any outbound traffic and block any inbound traffic coming into eth 0/1 NOT ASSOCIATED with an outbound connection?
ip access-list standard matchall
ip policy-class private
allow list self self
nat source list matchall interface eth 0/1 overload
ip policy-class public
allow list self self
discard list matchall
interface eth 0/1
ip address dhcp
ip access-policy public
interface eth 0/2
ip address 10.11.12.13/24
ip access-policy private
Based on the configuration above, the only traffic allowed would be traffic destined for an IP address configured on the NetVanta itself. All other traffic initiated from the outside will be blocked. In fact, you do not need the 'discard list matchall' entry since any traffic that is not implicitly allowed on a security zone will be blocked.
Please let us know if you have any further questions.