R1(config)#access-list 1
R1(config)#Deny 20.1.1.1
R1(config)#Permit any
R1(config)# int s0/0
R1(config-if)#ip access-group 1 in
When i try to ping 10.1.1.1 it returns U.U.U
-----> Which means destination host unreachable.
The only thing you can do is add no ip unreachables
to Serial0/0. This would make pings simply timeout instead of receiving an ICMP admin prohibited message when packets are denied on the serial interface.
Examples:
The following examples illustrate what happens:
- When ROUTER1 pings ROUTER2:Gi0/0, and ROUTER2 denies ROUTER1 via acl 166;
ip unreachables
is configured on Gi0/0
- When ROUTER1 pings ROUTER2:G0/0, and ROUTER2 denies ROUTER1 via acl 166;
no ip unreachables
is configured on Gi0/0
With ip unreachables
(which is the default) on the interface
On the router with the ACL...
ROUTER2#sh runn | i access-list 166
access-list 166 deny ip host 192.0.2.111 any
access-list 166 permit ip any any
ROUTER2#sh runn int gi0/0
!
interface GigabitEthernet0/0
ip address 192.0.2.29 255.255.255.0
ip access-group 166 in
no ip redirects
no ip proxy-arp
And on the host being blocked...
ROUTER1#debug ip icmp
ROUTER1#ping 192.0.2.29 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.29, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.111
U.U.U
Success rate is 0 percent (0/5)
ROUTER1#sh log | i administrat
Jan 16 11:02:29.251 CST: ICMP: dst (192.0.2.111) administratively
prohibited unreachable rcv from 192.0.2.29
Jan 16 11:02:31.255 CST: ICMP: dst (192.0.2.111) administratively
prohibited unreachable rcv from 192.0.2.29
Jan 16 11:02:33.263 CST: ICMP: dst (192.0.2.111) administratively
prohibited unreachable rcv from 192.0.2.29
With no ip unreachables
Adding no ip unreachables
on ROUTER2...
ROUTER2#conf t
ROUTER2(config)#int gi0/0
ROUTER2(config-if)#no ip unreach
Now the pings fail silently...
ROUTER1#ping 192.0.2.29 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.29, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.111
.....
Success rate is 0 percent (0/5)
ROUTER1#
The issue has been resolved! I have tried to analyze non-working hosts ARP tables and found ASA's MAC address change. Decreased ASA's log verbosity to Warning level, rebooted it and got a message during boot
IP address collision detected between host 192.168.0.1 at f80f.4197.a18d and interface inside
So found host with the MAC noted. Despite it has different IP address and it is separate point to investigate, host's disconnection immediately resolves the issue.
Best Answer
It sounds like you only want to allow an inside address to establish a TCP connection. If you use NAT from your privately addressed network to the public Internet, it is stateful, and it works the way you seem to want.
If you have public addresses on both sides of your router, you could do something like this (there are multiple ways this could look, depending on exactly what you want to do):
This will allow inside hosts to originate TCP connections to outside hosts, and allow the outside hosts to respond on the established connections, but it will block any other traffic from the outside.
Cisco maintains many documents for things like this (just search). For example, Configure Commonly Used IP ACLs: