"option:: established" does the wrong thing on Cisco.

[GoogleCodeExporter]

What steps will reproduce the problem?
1. compile the following ACL with target:: cisco

term test-term {
  source-address:: bas050-2
  destination-address:: HVAC_TEST_SERVERS
  protocol:: tcp
  destination-port:: SSH
  option:: established
  action:: accept
}

2. check the results:

 remark test-term
 permit tcp host 134.79.230.135 172.25.192.8 0.0.0.7 eq 22 established
 permit tcp host 134.79.230.135 172.25.192.8 0.0.0.7 range 1024 65535 established


What is the expected output? What do you see instead?

The second line should not be there, and the first line should read:

permit tcp host 134.79.230.135 range 1024 65535 172.25.192.8 0.0.0.7 eq 22 
established


What version of the product are you using? On what operating system?
SVN v110. Also tried on v103 with the same results.
Linux RHEL5.

Please provide any additional information below.

- it works correctly when specifying a source-port (as opposed to a 
destination-port).
- it fails in the same way on UDP.

Original issue reported on code.google.com by antonio....@gmail.com on 8 Apr 2011 at 12:10

[GoogleCodeExporter]

I do realize it is a bit dumb to filter "established" on a destination port. 
But I still find the output surprising...

Original comment by antonio....@gmail.com on 8 Apr 2011 at 5:22

[GoogleCodeExporter]

This is expected behavior.  For stateless filtering, the "established" option 
simply appends high-ports (1024-65535) to the destination-ports.  Therefore, in 
the example term if results in a policy allowing src->dest of ports 22 and 
1024-65535.

From: http://code.google.com/p/capirca/wiki/PolicyFormat
...
option:: [established|tcp-established|sample|intial|rst|first-fragment]
established - only permit established connections, implements tcp-established 
if protocol is tcp only, otherwise adds 1024-65535 to required 
destination-ports.

Original comment by watson@google.com on 12 Jul 2011 at 6:59

• Changed state: WontFix