Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2521
Views
0
Helpful
1
Replies

IOS Still Sending ICMPs even with ACL on

SJobs1971
Level 1
Level 1

‎07-03-2011 01:31 PM - edited ‎02-21-2020 04:23 AM

I tried to stop Cisco IOS from sending any ICMP unreachables. With the following config, IOS still sends an ICMP "Destination Unreachable" Communication Administratively Filtered" When I try to ping the router from over the internet, or access a blocked port Here is my config:

interface GigabitEthernet0

! T1 connection to internet

ip address dhcp

ip access-group in_wan in

ip access-group out_wan out

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

ip access-list extended in_wan

permit tcp any any established

deny   udp any any eq domain

deny   tcp any any eq domain

permit udp any any

permit icmp any any echo-reply

deny   icmp any any log

deny   ip any any log

ip access-list extended out_wan

permit icmp any any echo

deny   icmp any any

permit ip any any

What did I do wrong, are these ACLs proper for production use? Thanks.

0 Helpful
1 Reply 1

Nicolas Fournier
Cisco Employee
Cisco Employee

‎07-03-2011 02:12 PM

Hi,

The easiest way to prevent your router from sending ICMP unreachable would be to disable it on your interface:

router#conf t
router(config)#interface GigabitEthernet0
router(config-if)#no ip unreachables 
router(config-if)#

The ACL you've pasted in your message should also block those messages but it is easier not to generate them at all.

Regards,

Nicolas

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card