ACL help needed...

[Lovejoy]

This should be simple, but I am doing something wrong. I need a write
an PACL that will only allow established traffic to a switch port.
Here is what I have so far :

access-list 101 permit tcp any 192.168.145.250 0.0.0.0 established

int g1/48
ip access-group 101 in

What this gets me is no connectivity with the acl in place on the
interface. It has to be something that is right in my face, that I am
missing. Our 4500 can't do NAT, so I have to find a workaround.

Suggestions?

TIA
Lovejoy

--
===========================================================
This space for lease....

[JF Mezei]

Lovejoy wrote:

> access-list 101 permit tcp any 192.168.145.250 0.0.0.0 established
>
> int g1/48
> ip access-group 101 in
>
>
> What this gets me is no connectivity with the acl in place on the
> interface.

To get to an "established" state, you need to first exchange a few
packets. So you need to get your ACL to permit the packet exchange that
will lead to the established state after which, the first line handles
the traffic.

[Lovejoy]

In article <00a8183d$0$27966$c3e...@news.astraweb.com>, JF Mezei
<jfmezei...@vaxination.ca> wrote:

Thanks for the response. It was my assumption that since there was no
ACl controlling any outbound traffic, that the ACL 101 would "see" that
it was established traffic. Do I need to have an ACL like the

access-list 100 permit ip 192.168.145.250 0.0.0.0 any

and apply it in the out direction on the interface?

Thanks