Re: Is it possible to specify ICMP type on a deny in ACL ?

christoph.ehret · ‎04-22-2005

Hi,

When a packet is denied because of a rule in the ACL, is it actually possible to specify the ICMP type and code that will be used to inform the sender ?

Thanks

Chris

lgijssel · ‎04-22-2005

Simple answer: Yes, ths is possible.

Please chek the following URL for in-depth info:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d1d4.html#wp1078593

Regards,

Leo

christoph.ehret · ‎04-22-2005

I do not know if I did not understand your answer or if my question was not really clear. I will give an example. Imagine, you have following rule in an acl :

access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255

A packet that was just filtered matched this rule, i.e the packet was denied. A ICMP packet should be sent to the sender, to inform him that the packet was blocked (i.e it depends on the ICMP message that will be sent). So my question is actually, is it possible to specify the type or code of the ICMP packet that will be send ? I know the reference page you gave me, but I have found nowhere anything pointing in that direction.

Thanks.

Chris

Richard Burts · ‎04-22-2005

I think that I understand your question. Unfortunately the answer is no you can not specify what type of ICMP to notify the sender that the packet was denied. Cisco will generate an ICMP Administratively Prohibited message. And there is no way to specify a different message type for this function.

HTH

Rick

HTH

Rick