Как делает Cisco IOS ACL установленная работа флага

Given a Vlan1 inside and Fa4 outside I gather you are working on an 8xx series?

Instead of working through established use the IOS Firewall's Context Based Access Control function, or CBAC.

With a deny ip any any or equivalent on an outside interface -- as you have stated, there needs to exist some way to permit legitimate traffic initiated from inside -> outside to get back in without resorting to vulgar language or a permit ip any any. established is one method, but a rather arcane one in that it only works with TCP causing a little headache for UDP. Instead with CBAC, which involves the ip inspect you can achieve the objective without ACE's involving the established keyword. ACL's can still be used on the outside interface, but they are not required for this specific objective.

Note that CBAC also has the ability to perform application layer gateway (ALG)/fixups to protocols that break through firewall's and NAT boundaries. In the examples below I'll include some examples.

Easiest way is to define a CBAC inspection set, then apply it in both the in and out directions on your outside interface.

First defined are generic tcp and udp to make general tcp and udp traffic work. Afterward are some ALG's

! Define CBAC inspection group in global configuration mode

ip inspect name outside_inspection tcp
ip inspect name outside_inspection udp
ip inspect name outside_inspection ftp
ip inspect name outside_inspection tftp
ip inspect name outside_inspection h323
ip inspect name outside_inspection icmp
ip inspect name outside_inspection pptp

! Enable CBAC on outside interface

interface FastEthernet4
 description outside interface
 ip inspect name outside_inspection in
 ip inspect name outside_inspection out

! ip access-group, ip nat, and others possible as well on FastEthernet4