The Access Control List 'established' Keyword

The established keyword is only applicable to TCP access list entries to match TCP segments that have the ACK and / or RST control bit set (regardless of the source and destination ports), which assumes that a TCP connection has already been established in one direction only.
Non-matching cases are initial TCP connection-establishment segments with only the SYN bit set.

A typically usage is to differentiate the connections originating inside from connections originating elsewhere. Figure below shows a scenario which allowing internal systems to initiate Telnet connections to any Internet site (outside network), but not the other way around. A simple solution is to block incoming packets that don’t have the ACK or RST bits set by using the established keyword, which permitting return traffic for connections that are established and initiated from the inside, and denying connections initiated from outside to inside.

Note: This method of blocking unwanted traffic originating from the outside network can be circumvented – it is possible to forge a packet with the appropriate bits set – spoofing TCP flags. However, a proper stateful packet-filtering firewall will not fall to such an attack.

Another usage is to allow connections to be initiated from client systems only, but not from the server to the others. This can prevent abuse from the server and tighten the server to offer only the necessary services.

The access-list 101 permit tcp any any established is equivalent to access-list 101 permit tcp any any ack rst. When configuring the latter command, it will be appeared as the former command in the running configuration.