Cisco ACL – Blocking Connections with ICMP or RST

aclcisco

The Cisco "deny" ACL seems to quietly drop TCP/IP packets. Is it possible for it to send either ICMP responses or TCP RST's in response to a denied request?

Best Answer

Short answer: no. Cisco IP Access Lists can only "permit" or "deny" (drop) packets.

Edit: I stand corrected. Configuring IP Unreachables on the interface results in an ICMP-unreachable message when the packet is dropped.

interface FastEthernet0/1
 ip address 10.1.1.2 255.255.255.0
 ip access-group 101 in
 ip unreachables
end

Related Solutions

How to decipher dropped packet from packet-tracer output

Implicit Rule and AAAA being the in and out interface... That's called hair-pinning, and it's generally not allowed. It works on my asa, but I have the following enabled:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Cisco ACL – ACL Question: Access-List Permit IP Any Any

Referring to IP in an access list refers to all IP based protocols. You have denied echo replies but all other messages as ICMP redirect, time exceeded, fragmentation needed, echo would be allowed through.

Other IP based protocols such as OSPF would also be allowed to pass through with your ACL.

Best Answer

Related Solutions

How to decipher dropped packet from packet-tracer output

Cisco ACL – ACL Question: Access-List Permit IP Any Any

Related Topic