I have an output ACL applied on a WAN interface that permits only 1 IP from going out.
interface Cellular0
ip address negotiate
ip access-group allow100.98.170.25 out
ip nat outside
no ip unreachables
!
ip access-list extended allow100.98.170.25
permit ip host 100.98.170.25 any
deny ip any any log
!
However, when the ACL drops the packet, it makes a loud drop and generates an ICMP unreachable. And because the packet is generated by the control plane, it is not blocked by the ACL.
And even though I have no ip unreachable, it does not work. It appears that I must apply it to the interface which originally received the packet, which could be coming from any LAN. If I do that, my LAN users will not get their ICMP unreachables for legitimate cases.
Is there a way to make ACL drop packets quietly?
If not, is there a way to blackhole post-NAT traffic not matching an ACL?
Best Answer
The ICMP unreachable message is generated by the router and sent back through the interface where the original traffic entered the router. Placing the
no ip unreachablescommand on the outside interface does nothing for traffic entering the router on an inside interface. You will need to apply the command on the inside interface for traffic being blocked to the outside interface.You place the command on the outside interface to block the ICMP message going out for traffic originated outside. You need to place the command on the interface to which the ICMP message would be sent back toward the traffic source. In your case, that appears to be the inside interface.