Cisco – Change Ping Response for Traffic Blocked by Access Control List

aclciscorouterSecurity

I am trying to ping a host, let's say 10.1.1.1, from 20.1.1.1.

I have created the ACL:

R1(config)#access-list 1
R1(config)#Deny 20.1.1.1 
R1(config)#Permit any
R1(config)# int s0/0
R1(config-if)#ip access-group 1 in

Never mind the configuration, I can deny the host 20.1.1.1 which tries to access 10.1.1.1.

Now when I try to ping 10.1.1.1 from 20.1.1.1, it returns U.U.U. This means destination host unreachable or it is blocked.

I don't want a malicious person to know that I have used an access-list to block him. I want to change this ICMP Request to be done so that when it throws the error message, it should not return U.U.U. It should read Destination Host Unreachable or anything better than this.

Kindly Suggest to me how to do this…Thank You

Best Answer

R1(config)#access-list 1
R1(config)#Deny 20.1.1.1 
R1(config)#Permit any
R1(config)# int s0/0
R1(config-if)#ip access-group 1 in
When i try to ping 10.1.1.1 it returns U.U.U -----> Which means destination host unreachable.

The only thing you can do is add no ip unreachables to Serial0/0. This would make pings simply timeout instead of receiving an ICMP admin prohibited message when packets are denied on the serial interface.

Examples:

The following examples illustrate what happens:

When ROUTER1 pings ROUTER2:Gi0/0, and ROUTER2 denies ROUTER1 via acl 166; ip unreachables is configured on Gi0/0
When ROUTER1 pings ROUTER2:G0/0, and ROUTER2 denies ROUTER1 via acl 166; no ip unreachables is configured on Gi0/0

With `ip unreachables` (which is the default) on the interface

On the router with the ACL...

ROUTER2#sh runn | i access-list 166
access-list 166 deny  ip host 192.0.2.111 any
access-list 166 permit ip any any
ROUTER2#sh runn int gi0/0
!
interface GigabitEthernet0/0
 ip address 192.0.2.29 255.255.255.0
 ip access-group 166 in
 no ip redirects
 no ip proxy-arp

And on the host being blocked...

ROUTER1#debug ip icmp
ROUTER1#ping 192.0.2.29 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.29, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.111
U.U.U
Success rate is 0 percent (0/5)
ROUTER1#sh log | i administrat
Jan 16 11:02:29.251 CST: ICMP: dst (192.0.2.111) administratively 
 prohibited unreachable rcv from 192.0.2.29
Jan 16 11:02:31.255 CST: ICMP: dst (192.0.2.111) administratively 
 prohibited unreachable rcv from 192.0.2.29
Jan 16 11:02:33.263 CST: ICMP: dst (192.0.2.111) administratively 
 prohibited unreachable rcv from 192.0.2.29

With `no ip unreachables`

Adding no ip unreachables on ROUTER2...

ROUTER2#conf t
ROUTER2(config)#int gi0/0
ROUTER2(config-if)#no ip unreach

Now the pings fail silently...

ROUTER1#ping 192.0.2.29 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.29, timeout is 2 seconds:
Packet sent with a source address of 192.0.2.111
.....
Success rate is 0 percent (0/5)
ROUTER1#

Related Solutions

HP Procurve 5406zl – ACL issue

According to the Access Security Guide for your device, the first address and mask of an ACE is source and the second address and mask is the destination. (Just in case, an ACE is an Access Control Entry; that is any line an access-list is made of)

ACE 20 of your ACL states source 192.168.50.0/24 and destination 192.168.101.0/24, then you apply the ACL at VLAN 101 input; however, your VLAN 101 is 192.168.101.0/24, so any input traffic at VLAN 101 would have source address in 192.168.101.0/24. So ACE 20 in your ACL is wrong, you need an ACE with action permit, source 192.168.101.0/24 and destination 192.168.50.0/24.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255

Regarding the way back for this traffic, it will cross VLAN 101 outbound, so ACL should not be applied to this traffic and it should be allowed.

If traffic back is not allowed then you need to add the way back in your ACL.

ip access-list extended "SecureContent"
    10 permit ip 192.168.101.0 0.0.0.255 192.168.50.0 0.0.0.255
    20 permit ip 192.168.50.0 0.0.0.255 192.168.101.0 0.0.0.255

EDITED to change the line above to reflect proper ACL structure of numbered entries. (10, 20, etc).

Cisco ASA 5505 stop passing traffic randomly

The issue has been resolved! I have tried to analyze non-working hosts ARP tables and found ASA's MAC address change. Decreased ASA's log verbosity to Warning level, rebooted it and got a message during boot

IP address collision detected between host 192.168.0.1 at f80f.4197.a18d and interface inside

So found host with the MAC noted. Despite it has different IP address and it is separate point to investigate, host's disconnection immediately resolves the issue.

Best Answer

With ip unreachables (which is the default) on the interface

With no ip unreachables

Related Solutions

HP Procurve 5406zl – ACL issue

Cisco ASA 5505 stop passing traffic randomly

Related Topic

With `ip unreachables` (which is the default) on the interface

With `no ip unreachables`