Configure a TCP Established ACL in Packet Tracer
In the video tutorial below I use Packet Tracer to demonstrate how a layer 3 access-list based firewall functions in a network scenario featuring a private LAN and a public DMZ. The goal is to improve security by using a layer 4 firewall that is TCP aware. You can add layer 4 firewall capability with a TCP Established ACL (Access List).
In the second tutorial, I demonstrate how a hacker could bypass a layer 2 access-list firewall by masquerading the port number. I also demonstrate how to solve this problem by using a tcp-established access list.
Two further advancements in Cisco stateful firewalls are the CBAC firewall and Zone Based Firewall. Both of these modular firewalls were great improvements over the early TCP established firewall.
Today, there are even more advanced firewalls that can detect application data at layer 7 and connect to cloud based security centers to share and respond to potential zero day threats with global analysis and response.