07-19-2015 09:50 AM - edited 03-08-2019 01:01 AM
Hi All,
I have one question regarding IP acces-list logging. I have block IP access of one server with the following command.
deny ip host x.x.x.x any log (where x.x.x.x is the server ip).
Now if somebody trying to ssh to the server SSH is denied but the logg is showing that the access list denied ICMP traffic to reach the server(denie icmp x.x.x.x -> y.y.y.y (3/3)) y.y.y.y is the host from where ssh connection is generated.
Acl is applied on server vlan interface
I failed to understand the reason behind the this.
Could somebody help me please.
Regards,
Arijit
07-19-2015 10:28 AM
This is from RFC 792:
If, in the destination host, the IP module cannot deliver the datagram because the indicated protocol module or process port is not active, the destination host may send a destination unreachable message to the source host.
The server responds with an ICMP destination unreachable, port unreachable (which is type 3, code 3) when the server isn't configured to take the connection. This ICMP packet is denied by your ACL that works in the same direction as this unreachable-message.
In fact, with your ACL you don't deny traffic being sent to the server, but all traffic sent from the server.
07-19-2015 11:34 PM
Hi Karsten,
Thans for your reply.
Could you please give me a detail view that why it is producing log "denying ICMP" for incomming ssh(TCP port no 22) connection.
Regards,
Arijit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide