Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1073
Views
0
Helpful
1
Replies

Default action for access list Deny

ampowell
Level 1
Level 1

‎09-06-2012 09:10 AM - edited ‎03-11-2019 04:50 PM

Hello,

Is it possible to change the default action for an access list deny?  Can the ASA be configured to send an icmp unreachable rather than just dropping the packet if an access list denies the request?  I have a situation where I would like to restrict access to a specific server for a select number of users.  The problem is that the restricted workstations attempt to connect to the server at log in.  Since I cannot control the log in script for those users, I was hoping to use the ASA firewall instead.  However, using a deny statement causes the workstation to repeatedly send SYN requests for 60 seconds.   The restricted users experience an unacceptably long delay at log in.  I was hoping to be able to configure the ASA to send an icmp unreachable message for those users and avoid the wait.

Thanks,

Ann

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎09-06-2012 09:19 AM

Hello,

As the firewall it's supposed to be invisible there is no way the ASA could send this particular messages, sorry to inform you that but you could request this particular feature with your Cisco account Team.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card