Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
0
Helpful
2
Replies

Regarding the ip access-list logging

Arijit Das
Level 1
Level 1

‎07-19-2015 09:50 AM - edited ‎03-08-2019 01:01 AM

Hi All,

 

I have one question regarding IP acces-list logging. I have block IP access of one server with the following command.

deny ip host x.x.x.x any log (where x.x.x.x is the server ip).

 

Now if somebody trying to ssh to the server SSH is denied but the logg is showing that the access list denied ICMP traffic to reach the server(denie icmp x.x.x.x -> y.y.y.y (3/3))   y.y.y.y is the host from where ssh connection is generated.

Acl is applied on server vlan interface

I failed to understand the reason behind the this.

Could somebody help me please.

 

Regards,

 

Arijit

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎07-19-2015 10:28 AM

This is from RFC 792:

      If, in the destination host, the IP module cannot deliver the
      datagram  because the indicated protocol module or process port is
      not active, the destination host may send a destination
      unreachable message to the source host.

 

The server responds with an ICMP destination unreachable, port unreachable (which is type 3, code 3) when the server isn't configured to take the connection. This ICMP packet is denied by your ACL that works in the same direction as this unreachable-message.

In fact, with your ACL you don't deny traffic being sent to the server, but all traffic sent from the server.

0 Helpful

Arijit Das
Level 1
Level 1
In response to Karsten Iwen

‎07-19-2015 11:34 PM

Hi Karsten,

 

Thans for your reply.

Could you please give me a detail view that why it is producing log "denying ICMP" for incomming ssh(TCP port no 22) connection.

 

Regards,

Arijit

 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card