01-04-2018 03:31 AM - edited 03-05-2019 09:42 AM
Hello all
access-list inside_in extended deny icmp host A host B log
access-list inside_in extended deny ip host A host B log
I would know the behaviour about the ACLs.
As I understand the ping from A to B is not allowed, but the A receive a unreacheable answer, It's correct?
How to can avoid that answer? I want to avoid any answer, performing a drop or block so A does not receive any answer of that traffic.
In addition, the same in the second ACL, any application that runs over IP may receive an answer. How I can avoid that answer? Drop the traffic
Regards
01-04-2018 04:02 AM - edited 01-04-2018 04:03 AM
Hi
Please correct me if Im understanding wrong the question, with the first question you don't want any destination unreachable message?
Try with:
access-list inside_in line 2 extended deny icmp host A host B echo
access-list inside_in line 3 extended deny icmp host A host B echo-reply
access-list inside_in line 4 extended deny icmp host A host B unreachable
About the 2nd question you want to receive a message when a connection occurs? or it is dropped? You could analyze the hits through: show access-list inside_in, through the logs: show log or show connections.
01-04-2018 04:15 AM
Thank you for your quickly answer
access-list inside_in line 2 extended deny icmp host A host B echo
access-list inside_in line 3 extended deny icmp host A host B echo-reply
access-list inside_in line 4 extended deny icmp host A host B unreachable
As your ACLs the behavior that I see is: If a host A send a echo, echo-reply, or unreachable icmp packet the through ASA device not allow the traffic. No if the ASA responds that packet.
But, ASA act as router/proxy device that when the traffic is denied sends an answer about that traffic has been denied? or the destination has been unreachable? Or it performs a silent-drop?
Regards
01-04-2018 06:31 AM
Hello
To avoid the rtr to send unreachable msgs then disable it on the interface.
int x/x
no ip unreachables
res
Paul
01-04-2018 07:23 AM
Hello
Yes, I know.. However, I'm not talking about the router or the interface. I'm only wants applied that rule with the only two IPs to simulating an outage between that IPs.
Checking Cisco in deep
"The Cisco "deny" ACL seems to quietly drop TCP/IP packets."
ASA-ACI-FW01/PRODUCTION(config)# access-list aaa line 3 extended ?
configure mode commands/options:
deny Specify packets to reject --> Reject means drop the packet.
permit Specify packets to forward
It not apply an answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide