Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1748
Views
0
Helpful
4
Replies

ASA - ACL extended deny ICMP host A host B log behaviour

jchimenop
Level 1
Level 1

‎01-04-2018 03:31 AM - edited ‎03-05-2019 09:42 AM

Hello all

access-list inside_in extended deny icmp host A host B log

access-list inside_in extended deny ip host A host B log

 

 

I would know the behaviour about the ACLs.

As I understand the ping from A to B is not allowed, but the A receive a unreacheable answer, It's correct?

How to can avoid that answer? I want to avoid any answer, performing a drop or block so A does not receive any answer of that traffic.

 

In addition, the same in the second ACL, any application that runs over IP may receive an answer. How I can avoid that answer? Drop the traffic

 

Regards

 

 

 

 

Labels:
0 Helpful
4 Replies 4

Julio E. Moisa
VIP
VIP

‎01-04-2018 04:02 AM - edited ‎01-04-2018 04:03 AM

Hi

Please correct me if Im understanding wrong the question, with the first question you don't want any destination unreachable message?

Try with:

access-list inside_in line 2 extended deny icmp host A host B echo

access-list inside_in line 3 extended deny icmp host A host B echo-reply

access-list inside_in line 4 extended deny icmp host A host B unreachable

 

About the 2nd question you want to receive a message when a connection occurs? or it is dropped? You could analyze the hits through: show access-list inside_in, through the logs: show log or show connections.

 

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

jchimenop
Level 1
Level 1
In response to Julio E. Moisa

‎01-04-2018 04:15 AM

Thank you for your quickly answer

 

access-list inside_in line 2 extended deny icmp host A host B echo

access-list inside_in line 3 extended deny icmp host A host B echo-reply

access-list inside_in line 4 extended deny icmp host A host B unreachable

As your ACLs the behavior that I see is: If a host A send a echo, echo-reply, or unreachable icmp packet the through ASA device not allow the traffic. No if the ASA responds that packet.

 

But, ASA act as router/proxy device that when the traffic is denied sends an answer about that traffic has been denied? or the destination has been unreachable? Or it performs a silent-drop?

 

Regards

0 Helpful

paul driver
VIP
VIP

‎01-04-2018 06:31 AM

Hello

To avoid the rtr to send unreachable msgs then disable it on the interface.

 

int x/x

no ip unreachables

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

jchimenop
Level 1
Level 1
In response to paul driver

‎01-04-2018 07:23 AM

Hello

 

Yes, I know.. However, I'm not talking about the router or the interface. I'm only wants applied that rule with the only two IPs to simulating an outage between that IPs.

Checking Cisco in deep

"The Cisco "deny" ACL seems to quietly drop TCP/IP packets."

ASA-ACI-FW01/PRODUCTION(config)# access-list aaa line 3 extended ?
configure mode commands/options:
  deny    Specify packets to reject  --> Reject means drop the packet.
  permit  Specify packets to forward

It not apply an answer

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card